Does it magically boot the system off known good media to check for rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself in 2004. Great...except, MSBlaster wasn't the only thing that took advantage of the RPC/DCOM exploit. Oops. Now the system administrator has no cause to take any of the above steps because from his view, sitting in his office running the latest eEye scanner, the machine was never vulnerable.
When will folks figure out that these so called "good worms" are not a good thing? The failure of the author to take note of such fundamental flaws in his or her logic suggests that they have no business doing anything, much less volunteering to correct the world's problems. Of course, this could be a deliberate cover-up...but somehow I think it's just another security cowboy trying to save the world.
You obviously have never worked in an enterprise level environment. Source is fine if you like to spend all day mucking with stuff. but when you need to install or upgrade something quick to patch some vulnerability or add some kind of new functionality, you cannot just go grab the source and compile it on 400 machines.
You have obviously never deployed Slackware in an "enterprise level environment" or else you'd realize that there is more to life than rpm packaging. Nobody compiles packages from source on 400 machines. Any data center with that many boxes is bound to have some sort of hardware standardization. You build the update on one and deploy the binaries using Slackware's package tool on the others. Who's mucking with stuff?
Some sales reps explicitly warn customers that they will be punished if they are caught with equipment purchased on eBay.
Any sales rep who used this sort of tactic with me would promptly find themselves in the parking lot with the sound of a slamming door echoing in their ear.
Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?
First you must understand that security doesn't really exist. It's all about mitigating risks and setting priorities. You just can't close every hole. The basic steps are simple:
1) Define what needs to be protected
2) Identify the potential threats
3) Prioritize (focus on most likely threats)
4) Put obstacles in place to slow down the attack
5) Monitor and react
6) ???
7) Profit
If the obstacles you put in place in step 4 slow the attacker down enough for you to react in step 5, step 6 becomes irrelevant.
Step 4 and 5 is where the technical part comes into play and you can have all the flashy tools you want...but if you aren't any good at 1 and 2, you will fail. To answer the second part of your question, there are many tools out there. It's a "horses for courses" situation. What works in one situation might not even be considered in another. A good working knowledge of the relevant platform is more important than third party tools. Often, the right tool for the job is already there.
I think the H1B program is bullshit too, but come on. Take this carping somewhere else. I suppose we should set up the detention camps for anyone who has the qualifications to replace you...cause you deserve a job dammit. Yo grandaddy's grandaddy was a half assed VB hack way back dur'n the wah of a-teen twev. Damn furriners. We're in a war!!! Please.
Agree. This is one of the most useless things I recall ever seeing. It does have a "cool factor" to it, but I can't think of any legitimate need for it other than circumventing the native restrictions on shared hosting accounts. If you want a shell that bad, get your own server.
Ok. I'll bite. Who's to say that there will not be a modded worm out in 36 hours that doesn't do what you expect? You? No thanks, I'll take my word over the comments of an Anonymous Coward...and suggest that everyone else does the same. The issue here is not stopping the spread of the worm that exploits the hole, but rather closing the hole in the first place. Cart --> Horse, not the other way around.
To make matters worse, Microsoft claims that they discovered the infection on Wednesday. I notified them on Monday that I was logging Code Red scans from their internal network. Apparently I was ignored...
So for instance, running SSH on a non-standard port that is not included in the default list of ports scanners such as nmap probe by default is covering a design flaw in ssh??? I dont think so...
It's called taking every possible measure to secure your system. After locking a box down, it doesn't hurt to try to hide it as well...lest you wind up like the Captain of the Titanic, going down with your "unsinkable" ship.
Slashdot Mirror
While I admire your DITY attitude. It's time to call an electrician. Anyone who advises you to do otherwise is foolish.
There is a definite problem enforcing best practices on users in a home environment.
I agree 100%. But, the choiceof how to respond to an incident should be left to the system owner, not some anonymous worm writer on the Internet.
Let's see...
Does it magically boot the system off known good media to check for
rootkits/backdoors/trojans/[insert favorite evil here]???
No.
Does it magically monitor the traffic to and from the machine for a
reasonable period of time to ensure that nothing is amiss???
No.
Does it reinstall the host OS from the original media and restore the last
known good backup???
No.
So...what does it do?
It patches the hole and wipes out the worm if present, then deletes itself
in 2004. Great...except, MSBlaster wasn't the only thing that took
advantage of the RPC/DCOM exploit. Oops. Now the system administrator has
no cause to take any of the above steps because from his view, sitting in
his office running the latest eEye scanner, the machine was never
vulnerable.
When will folks figure out that these so called "good worms" are not a good
thing? The failure of the author to take note of such fundamental flaws in
his or her logic suggests that they have no business doing anything, much
less volunteering to correct the world's problems. Of course, this could be
a deliberate cover-up...but somehow I think it's just another security
cowboy trying to save the world.
You obviously have never worked in an enterprise level environment. Source is fine if you like to spend all day mucking with stuff. but when you need to install or upgrade something quick to patch some vulnerability or add some kind of new functionality, you cannot just go grab the source and compile it on 400 machines.
You have obviously never deployed Slackware in an "enterprise level environment" or else you'd realize that there is more to life than rpm packaging. Nobody compiles packages from source on 400 machines. Any data center with that many boxes is bound to have some sort of hardware standardization. You build the update on one and deploy the binaries using Slackware's package tool on the others. Who's mucking with stuff?
Some sales reps explicitly warn customers that they will be punished if they are caught with equipment purchased on eBay.
Any sales rep who used this sort of tactic with me would promptly find themselves in the parking lot with the sound of a slamming door echoing in their ear.
I agree with this approach, but only as a last resort...and only by the FSF.
I think the AC here has you pegged.
Does anyone have any suggestions on where to start getting a handle on the concept of network/computer security and what are the most important and useful applications (CLI primarily) that a person should examine and learn?
First you must understand that security doesn't really exist. It's all about mitigating risks and setting priorities. You just can't close every hole. The basic steps are simple:
1) Define what needs to be protected
2) Identify the potential threats
3) Prioritize (focus on most likely threats)
4) Put obstacles in place to slow down the attack
5) Monitor and react
6) ???
7) Profit
If the obstacles you put in place in step 4 slow the attacker down enough for you to react in step 5, step 6 becomes irrelevant. Step 4 and 5 is where the technical part comes into play and you can have all the flashy tools you want...but if you aren't any good at 1 and 2, you will fail. To answer the second part of your question, there are many tools out there. It's a "horses for courses" situation. What works in one situation might not even be considered in another. A good working knowledge of the relevant platform is more important than third party tools. Often, the right tool for the job is already there.
I could be mistaken, but it was my understanding that Caldera bought SCO, not the other way around. I.E. SCO = Caldera / Tarantella = SCO
It doesn't set precedent any more than a local shop owner paying Mob protection money...
Perhaps that's why MS went ahead with the license. Fear of an IBM buyout, and subsequent "GPL'ing" of something they lifted from SCO.
I think the H1B program is bullshit too, but come on. Take this carping somewhere else. I suppose we should set up the detention camps for anyone who has the qualifications to replace you...cause you deserve a job dammit. Yo grandaddy's grandaddy was a half assed VB hack way back dur'n the wah of a-teen twev. Damn furriners. We're in a war!!! Please.
Agree. This is one of the most useless things I recall ever seeing. It does have a "cool factor" to it, but I can't think of any legitimate need for it other than circumventing the native restrictions on shared hosting accounts. If you want a shell that bad, get your own server.
Agreed. He seems to have a total lack of understanding about how the NT based kernels work.
Ok. I'll bite. Who's to say that there will not be a modded worm out in 36 hours that doesn't do what you expect? You? No thanks, I'll take my word over the comments of an Anonymous Coward...and suggest that everyone else does the same. The issue here is not stopping the spread of the worm that exploits the hole, but rather closing the hole in the first place.
Cart --> Horse, not the other way around.
wrong. the entry point for the exploit is tcp/443, not udp/2002.
wrong. you are still vulnerable to the hole that allows the worm to copy the source and call gcc to compile it in the first place.
as root type openssl version
Well then...that screws up their press release claiming that only 2 boxen were hit. I've got logs from two other machines...anyone else?
To make matters worse, Microsoft claims that they discovered the infection on Wednesday. I notified them on Monday that I was logging Code Red scans from their internal network. Apparently I was ignored...
So for instance, running SSH on a non-standard port that is not included in the default list of ports scanners such as nmap probe by default is covering a design flaw in ssh??? I dont think so... It's called taking every possible measure to secure your system. After locking a box down, it doesn't hurt to try to hide it as well...lest you wind up like the Captain of the Titanic, going down with your "unsinkable" ship.