> In the next month and a half or so I'll be > making a transition out of my current job into > another post. This new position will require > me, among other things, to crack our pre- > deployment systems so that holes can be patched > before release.
Hacking Exposed can certainly get him a good start on that. I'm assuming this is not a full fledged security job, because it was, they wouldn't be hiring someone who's posting here asking how to do the job. If this is a full fledged security job, I agree with what you've posted for resource however: You can read all you want, there's no substitute for experience, on the white or black hatted side of the line. If yer looking to become a full fledged security professional, you can't just read what others write (although you do have to do that). Thats where 99% of the security "professionals" come from, and they have no idea what they are doing because, while they may know how aleph1 writes a buffer overflow, they don't know where the buffer overflows are on their system.
Its mostly a matter of competition. Bugtraq and NTBugtraq are not related other than by name. Bugtraq has been around since 1993 (started by a former boss of mine, Scott Chasin). NTBugtraq's only been around since 1997. Personally, I'm not a big fan of NT Bugtraq. Everything posted there is also posted on Bugtraq, and there have been issues with Russ Cooper holding back information thats been submitted to the list for weeks until the bugs are fixed, which Russ might think is a good idea, but, unfortunately thats not what full disclosure is all about.
While l0pht is a great component for @stake, its certainly not the only thing they have going for them. Their CTO is Dan Geer, who should be well known to anyone involved with USENIX who reads Login; regularly. Their management pool is pretty impressive too. Not a Pointy Hair amongst them.
> Well unfortunately there is no one book to sum > up breaking into systems that is along the > lines of Applied Cryptography.
Sure there is. Hacking Exposed. Its already been mentioned in this thread, but its a great resource. I'm a security manager for a large ISP that is responsible for penetration testing as well as a bunch of other stuff, and being that its rather hard to find qualified security people for reasonable salaries, hiring a good unix/nt guy and making him read that book has proved pretty effective at making people 'think secure'
Also, the content of that book comes out of the security practice at Ernst and Young, where they offer a great 5 day course called "Extreme Hacking" (as well as courses on Incident Reponse and Computer Forensics) , taught by some of the authers of "Hacking Exposed". Its $5000, but well worth it if you don't have the white or grey hat background. I haven't taken the course (my grey hat saved me $5k;)) but I've heard many good things about it. And compared to the rest of the "security" classes out there, this is by far the best.
Another important point to consider is that you don't neccesarily need to have black hat skills to sucessfully secure a system. It helps, but you don't need it.
Have you ever tried to use Linux with the GNU utils installed. Oh thats right, you can't.
Re:How many of you have actually used Solaris?
on
Free Solaris 8
·
· Score: 1
> As systems become more and more powerful people > find less expensive midrange computers will do > the job just as well as the expensive servers. > The law of diminishing returns...
Again I ask, Have you ever used Solaris. The Netra T1 costs around $4k. Thats not expensive.
> The zelot like support of Linux has more to do > with open source (the develupment modle used) > than anything else.
No, it comes from people who only have a vague idea how things really do work hiding their insecurities by barking loudly. There are plenty of other Open Source projects that don't have this problem, like OpenBSD (don't worry, i'll refute your point on them too)
> Most of Linux comes from the GNU project.. the > soul of the open source movement... OpenBSD has > a legacy of it's own and it's harder to premote > open source while pushing an Os that started > off life as a commertal product.
Well, then this "soul" is going rotten. The idea of Open Source is to improve software, not ignore the problems with your software and yell loudly that there are no problems. Secondly, OpenBSD did not come from a commercial product, I suggest you re-read your UNIX history.
> However the complaint you have of Linux (the > develipment modle) should be equally true of > OpenBSD as they currently use the open source > develupment modle.. implemented diffrently...
There is no one Open Source development "model". Open Source is a theory of how software should be developed, its not a model. Two different implementations means two different models. Linux lets anyone stick anything together with the Linux kernel, and call it a distribution. OpenBSD is a Operating System. Its a well thought out collection of tools and utilities that perform together flawlessly and consistantly. All well integrated and well documented, and nearly bug free.
> It is my experence however that managment of a > project not a develupment modle will encurage > or discurage slopy code.
Uh, there's a difference between the way development is managed and a development model? Explain the difference please.
> My experences with the code of closed source > products are not good.
Well, good thing Solaris isn't closed source (did you even read the article this whole thread was spawned from?)
BTW, I think its time Slashdot itegrated a spell checker.
How many of you have actually used Solaris?
on
Free Solaris 8
·
· Score: 2
The one thing that puts me off/. is the constant Linux vs The World jingoistic reactionaryism that takes place here. Linux is not right for every purpose, and by continuing to insist this, your all no better, at least in my eyes, than Microsoft, which seems to also think they're the only right solution for everything. Solaris is one of the most stable platforms around, having personally used it for all sorts of projects since it was SunOS in disguise. I've also used and had to deal with Linux on and off since the pre 1.0 days. A lot of the negative comments I've seen here about Solaris are just laughably wrong. Personally, I'm an OpenBSD snob, but I'm not trying to push it on everyone for every purpose. If someone comes to me looking to develop a LARGE scale Internet application of some sort, I'm going to suggest Solaris, or, for smaller scale enterprises, or those that require a fair amount of security, OpenBSD. I'd NEVER suggest Linux, because my personal experience with it has been that the development model leads to sloppy code that bugs out at the wrong moment. I know you don't like to hear it, but thats my opinion. However, I'm certainly not going to deny you your love of Linux. If you like it on your desktop, great! If you like it on your web server, great! Just don't make me use it, and don't waste yours and everyone elses time trying to take over the world with it. The only difference between a world run by MS and a world run by Linux would be the strange Penguin fetishism.
Explain how is they have flourished THANKS to the GPL. They could have done the same with the BSD license. I'd think they'd flourished DESPITE the GPL.
I'm not "busting" on anyone. If you want OpenBSD to survive, and thrive as the wonderful thing that it is, you need to support it. OpenBSD's support comes almost entirely from CD and T shirt sales. Feel free to download whatever you want, all I'm suggesting is that if you like it, support it. Besides, you can't download the cool stickers!
Also, while I'm here. Rather than use tcp wrappers, why not check out IPF? Its a much better way to tighten down your box than tcp wrappers. man ipf should get you started.
Rather than buying from cheapbytes, why not buy a bootable cd from OpenBSD's website and support the project?
Re:Covad has been a nightmare.
on
VDSL Demoed
·
· Score: 1
Covad installs their own DSLM's in US West CO's, so they can provide service in places where US West does not. In most cases, they bring in their own copper from the CO to you also.
OpenBSD works well on Alpha's with the exception of there being no dynamic libraries. This could be fixed by a donation of a fast alpha box to the developers. And rather than get ISO's, why not buy a cd from OpenBSD.org and support the project!
Re:As a matter of fact...
on
Which BSD?
·
· Score: 1
Instead of downloading and burning a CD, how about about ordering one from www.openbsd.org! It comes with neat stickers, and is the financial support for the project.
Re:OpenBSD audits all its code...
on
Which BSD?
·
· Score: 2
A lot of those bugs were in the base BSD code, and in the process of auditing OpenBSD, theo find's the bugs and shares them with other BSD groups.
While I agree that FreeBSD and NetBSD can be configured securely, OpenBSD's security isn't only based on the fact that they turned off some daemons, etc. They go through every line of code to solve potential security problems. While FreeBSD and NetBSD will fix bugs when they are found, and even do some pro-active screening occasionally, its not the same level of scrutiny that OpenBSD code goes through. Looking at the security vulnerabilities database on security focus shows 20+ vulnerabilities for FreeBSD, 16 for NetBSD and only 7 for OpenBSD. Its the care thats taken with the code to avoid problems not just now, but in the future that makes OpenBSD the choice for anyone looking for a TRUELY secure OS.
Re:Immutable + Linux ==> chattr
on
Which BSD?
·
· Score: 1
Of course, as opposed to bsd's flags, you can clear the immutable with a chattr -i. Not very useful as a security mechanism. With BSD's flags, you can't change them without lowering your securelevel (depending on the securelevel your kernel is running at)
If you live in a well developed suburb of Denver I suggest you pay attention to the issue on the next ballot about renewing AT&T's cable charter for the city. Also, check out Covad, they are providing service in Denver, and in many cases can get it to you much faster than US West
Linux may have MORE documentation, but its most certainly not better documentation. Compare the collective man pages of the two for a prime example. OpenBSD's are actually usable. There's very little need for HOWTO's and the like, because the documentation included with the OS is more than sufficient
Slashdot Mirror
The original poster said
> In the next month and a half or so I'll be
> making a transition out of my current job into
> another post. This new position will require
> me, among other things, to crack our pre-
> deployment systems so that holes can be patched
> before release.
Hacking Exposed can certainly get him a good start on that. I'm assuming this is not a full fledged security job, because it was, they wouldn't be hiring someone who's posting here asking how to do the job. If this is a full fledged security job, I agree with what you've posted for resource however: You can read all you want, there's no substitute for experience, on the white or black hatted side of the line. If yer looking to become a full fledged security professional, you can't just read what others write (although you do have to do that). Thats where 99% of the security "professionals" come from, and they have no idea what they are doing because, while they may know how aleph1 writes a buffer overflow, they don't know where the buffer overflows are on their system.
Its mostly a matter of competition. Bugtraq and NTBugtraq are not related other than by name. Bugtraq has been around since 1993 (started by a former boss of mine, Scott Chasin). NTBugtraq's only been around since 1997. Personally, I'm not a big fan of NT Bugtraq. Everything posted there is also posted on Bugtraq, and there have been issues with Russ Cooper holding back information thats been submitted to the list for weeks until the bugs are fixed, which Russ might think is a good idea, but, unfortunately thats not what full disclosure is all about.
While l0pht is a great component for @stake, its certainly not the only thing they have going for them. Their CTO is Dan Geer, who should be well known to anyone involved with USENIX who reads Login; regularly. Their management pool is pretty impressive too. Not a Pointy Hair amongst them.
> Well unfortunately there is no one book to sum
;)) but I've heard many good things about it. And compared to the rest of the "security" classes out there, this is by far the best.
> up breaking into systems that is along the
> lines of Applied Cryptography.
Sure there is. Hacking Exposed. Its already been mentioned in this thread, but its a great resource. I'm a security manager for a large ISP that is responsible for penetration testing as well as a bunch of other stuff, and being that its rather hard to find qualified security people for reasonable salaries, hiring a good unix/nt guy and making him read that book has proved pretty effective at making people 'think secure'
Also, the content of that book comes out of the security practice at Ernst and Young, where they offer a great 5 day course called "Extreme Hacking" (as well as courses on Incident Reponse and Computer Forensics) , taught by some of the authers of "Hacking Exposed". Its $5000, but well worth it if you don't have the white or grey hat background. I haven't taken the course (my grey hat saved me $5k
Another important point to consider is that you don't neccesarily need to have black hat skills to sucessfully secure a system. It helps, but you don't need it.
I of course meant to say
"Have you ever tried to use Linux WITHOUT the GNU utils installed"
Have you ever tried to use Linux with the GNU utils installed. Oh thats right, you can't.
> As systems become more and more powerful people
> find less expensive midrange computers will do
> the job just as well as the expensive servers.
> The law of diminishing returns...
Again I ask, Have you ever used Solaris. The Netra T1 costs around $4k. Thats not expensive.
> The zelot like support of Linux has more to do
> with open source (the develupment modle used)
> than anything else.
No, it comes from people who only have a vague idea how things really do work hiding their insecurities by barking loudly. There are plenty of other Open Source projects that don't have this problem, like OpenBSD (don't worry, i'll refute your point on them too)
> Most of Linux comes from the GNU project.. the
> soul of the open source movement... OpenBSD has
> a legacy of it's own and it's harder to premote
> open source while pushing an Os that started
> off life as a commertal product.
Well, then this "soul" is going rotten. The idea of Open Source is to improve software, not ignore the problems with your software and yell loudly that there are no problems. Secondly, OpenBSD did not come from a commercial product, I suggest you re-read your UNIX history.
> However the complaint you have of Linux (the
> develipment modle) should be equally true of
> OpenBSD as they currently use the open source
> develupment modle.. implemented diffrently...
There is no one Open Source development "model". Open Source is a theory of how software should be developed, its not a model. Two different implementations means two different models. Linux lets anyone stick anything together with the Linux kernel, and call it a distribution. OpenBSD is a Operating System. Its a well thought out collection of tools and utilities that perform together flawlessly and consistantly. All well integrated and well documented, and nearly bug free.
> It is my experence however that managment of a
> project not a develupment modle will encurage
> or discurage slopy code.
Uh, there's a difference between the way development is managed and a development model?
Explain the difference please.
> My experences with the code of closed source
> products are not good.
Well, good thing Solaris isn't closed source (did you even read the article this whole thread was spawned from?)
BTW, I think its time Slashdot itegrated a spell checker.
The one thing that puts me off /. is the constant Linux vs The World jingoistic reactionaryism that takes place here. Linux is not right for every purpose, and by continuing to insist this, your all no better, at least in my eyes, than Microsoft, which seems to also think they're the only right solution for everything. Solaris is one of the most stable platforms around, having personally used it for all sorts of projects since it was SunOS in disguise. I've also used and had to deal with Linux on and off since the pre 1.0 days. A lot of the negative comments I've seen here about Solaris are just laughably wrong. Personally, I'm an OpenBSD snob, but I'm not trying to push it on everyone for every purpose. If someone comes to me looking to develop a LARGE scale Internet application of some sort, I'm going to suggest Solaris, or, for smaller scale enterprises, or those that require a fair amount of security, OpenBSD. I'd NEVER suggest Linux, because my personal experience with it has been that the development model leads to sloppy code that bugs out at the wrong moment. I know you don't like to hear it, but thats my opinion. However, I'm certainly not going to deny you your love of Linux. If you like it on your desktop, great! If you like it on your web server, great! Just don't make me use it, and don't waste yours and everyone elses time trying to take over the world with it. The only difference between a world run by MS and a world run by Linux would be the strange Penguin fetishism.
Explain how is they have flourished THANKS to the GPL. They could have done the same with the BSD license. I'd think they'd flourished DESPITE the GPL.
Keep in mind OpenSSH is by the same folks that brought you OpenBSD. They don't code sloppy.
If there's a hole in something as widely used (and blindly trusted) as ssh, you can bet there are lots of folks working on exploiting it.
Superior algorithms and stuff?
Stuff like the latest exploit?
And what exactly is the 'superior algorithm' you are still using ClosedSSH for?
I'm not "busting" on anyone. If you want OpenBSD to survive, and thrive as the wonderful thing that it is, you need to support it. OpenBSD's support comes almost entirely from CD and T shirt sales. Feel free to download whatever you want, all I'm suggesting is that if you like it, support it. Besides, you can't download the cool stickers!
Also, while I'm here. Rather than use tcp wrappers, why not check out IPF? Its a much better way to tighten down your box than tcp wrappers. man ipf should get you started.
Rather than buying from cheapbytes, why not buy a bootable cd from OpenBSD's website and support the project?
Covad installs their own DSLM's in US West CO's, so they can provide service in places where US West does not. In most cases, they bring in their own copper from the CO to you also.
OpenBSD has a ports collection also, and there is a cvsup mirror of the cvs tree.
OpenBSD works well on Alpha's with the exception of there being no dynamic libraries. This could be fixed by a donation of a fast alpha box to the developers. And rather than get ISO's, why not buy a cd from OpenBSD.org and support the project!
Instead of downloading and burning a CD, how about about ordering one from www.openbsd.org! It comes with neat stickers, and is the financial support for the project.
A lot of those bugs were in the base BSD code, and in the process of auditing OpenBSD, theo find's the bugs and shares them with other BSD groups.
While I agree that FreeBSD and NetBSD can be configured securely, OpenBSD's security isn't only based on the fact that they turned off some daemons, etc. They go through every line of code to solve potential security problems. While FreeBSD and NetBSD will fix bugs when they are found, and even do some pro-active screening occasionally, its not the same level of scrutiny that OpenBSD code goes through. Looking at the security vulnerabilities database on security focus shows 20+ vulnerabilities for FreeBSD, 16 for NetBSD and only 7 for OpenBSD. Its the care thats taken with the code to avoid problems not just now, but in the future that makes OpenBSD the choice for anyone looking for a TRUELY secure OS.
Of course, as opposed to bsd's flags, you can clear the immutable with a chattr -i. Not very useful as a security mechanism. With BSD's flags, you can't change them without lowering your securelevel (depending on the securelevel your kernel is running at)
If you live in a well developed suburb of Denver I suggest you pay attention to the issue on the next ballot about renewing AT&T's cable charter for the city. Also, check out Covad, they are providing service in Denver, and in many cases can get it to you much faster than US West
Linux may have MORE documentation, but its most certainly not better documentation. Compare the collective man pages of the two for a prime example. OpenBSD's are actually usable. There's very little need for HOWTO's and the like, because the documentation included with the OS is more than sufficient
Totally agree there....
Using SGI as an example of why Linux is great is a bad move. They are slowly but surely falling to pieces.