FYI, Adam Bregenzer released an open source framework at DEFCON this year that provides pseudo-automatic multithreading, distributed password cracking capabilities AND takes advantage of existing commercial cloud computing services (ala Amazon, et. al.). The framework is easily adaptable to any number of computationally intensive applications, though he provided hard numbers and demonstrations from his work using coWPAtty and John the Ripper.
Damn straight! Instead of picking of FF for doing an effective job of exposing risk, we should be picking on those who run "legitimate" sites that haven't seen the need to stay on top of certificate updates. The whole point here is to make VERY clear to the user that FF is unable to determine the legitimacy of a "supposedly secure" site because the site owners haven't kept up their end of the bargain!
Anonym.OS provides the ability to automatically randomize MAC addresses at bootup. This is not done automatically, as doing so in certain environments (VMware, VirtualPC, MAC-restricted switch ports) may interfere with proper connectivity. Nonetheless, it's a Y/N question at boot time, and if Y it will be difficult -- if not impossible -- to effectively track a user across reboots, even from the same physical node.
For those interested, I put together a relatively comprehensive list of resources that deal with hardening linux at the kaos.theory blog.
"Bearing in mind that there are probably several hundreds of websites and whitepapers that talk to this topic, I've tried my best to filter the wheat from the chaff, leaving only those resources that I believe are valuable and offer some unique insight, perspective or technique..."
You know, to give everyone -- especially the analysts and critics -- a little perspective on just how secure and scalable Linux is and why it/is/ so much more appropriate for the enterprise than Windows, I think we should coordinate a world-wide demonstration.
For just one day (hell, and hour would probably be sufficient), let's get everyone on the Internet who maintains a public DNS server, mail server and/or web server running on Linux to turn them off. Right? Let's turn off all of our "insecure, unscalable" Linux servers for an hour and see just how much these same critics can get done during that time.
What do you think would be their response? When there's no way to resolve most domain names into IP's, when there's no Google, no Yahoo, and no AOL, Earthlink, etc etc e-mail. Hell, even MSN Messenger won't work without proper DNS resolution. I suspect those same critics would change their tune rather quickly and reassess why most of the Internet isn't running on Windows -- because of the very same accusations, unfounded though they may be, that they're making about Linux.
I don't think you _are_ getting my point. SmoothWall GPL is not, as far as I can tell, a 'commercial product' per se.
The _different_ version available from SmoothWall.co.uk is.
I won't keep arguing this with you, because I do also understand your position, however, you also seem to have misunderstood my comments when I said that the Smoothie team has misinterpreted the GPL. I do not argue with the addition of proprietary software, or costs associated with books, media, consultation, etc. In fact, I think those are beneficial additions to the open code base, and are the things that I would certainly pay for if I'm happy with a product.
I have purchased Mandrake, RedHat and SuSe multiple times before, after already having burned the distro discs -- both to support the products and obtain the documentation and support that the retail versions provided.
I'm not gonna preach the 'whole world and all software should be free' rap, because I have bils to pay too. What I was trying to emphasize is that SmoothWall's GPL product does not very well fit the GPL bill. It is offered in a manner that is not unlike nagware or shareware.
Being open to providing helpful information to anyone who asks is what has made so many excellent GPL projects so successful. It is also what has encouraged the submission of new code from happy users and developers who have found newer and better ways to accomplish an unsatisfied goal.
SmoothWall does not encourage this. If you are, in fact, a user of their GPL software, they appear to not give a shit about your questions, concerns or suggestions. Quite the contrary indeed. The development team acts upset that they've had to give anything away in the first place, and overly conceited because they did.
And they don't act very proud of their product. Proud GPL devlopers are generally happy when other people use their products, not rude to those that do...
To rephrase your question, I haven't gone looking for support on an IRC channel. I have, however, gotten plenty of good information from helpful people that has helped me to resolve my own problems.
If I want support, I buy commercial software. I went to irc.smoothwall.org to inquire about features that were neither explicitly mentioned nor explicitly denied in any of the product documentation.
The responses that I got from the support/dev team at #smoothwall has nothing to do with any judgements I have made about the quality of the product, only the attitudes construed by the people whose hands I place my network's security in, and whom I would have to depend on for support should I choose to buy the product.
Bad atitudes and poor security practices are unrelated issues. However, they are unrelated issues that the SmoothWall folks seem to have brought together with their "GPL'd" firewall solution.
I think you're missing the point. I'm an open-source advocate for a reason -- you don't _have_ to _pay_ for anything -- you support the community through donations or contributions (not always monetary) to the developers of the software that you like and use.
And you're right, I don't want to "pay someone else to do it for me" or I'd buy a commercial firewall and use commercial software for all of my security needs. However, I've generally found that _the_rest_ of the open-source community tends to produce better software than many or most commercial develpers, and I can contribute to their efforts by giving back -- either in the form of code contribution or monetary compensation if I'm able...
...and if I'm not -- nobody bitches.
In fact, I've found that many developers are happy when their users submit constructive criticism alone, which we have all been trying to do for the SmoothWall team. Unfortuntely, SmoothWall seems to resent our constructive criticism, and turns defensive when others make suggestions. If this had been the case when Linus wrote the original Linux kernel, guess what -- none of us would be using the operating system now cause it would be unrefined crap. Instead, he realized that by giving it away and letting others help him improve it, he offered the entire community the benefits of his great idea.
I also love your use of "GPL'd version" and "perfect business sense" in the same sentence. I have no problem with anyone trying to succeed in business, however, I think the SmoothWall team has misinterpreted the GPL.
The GPL was not devised as a means by which to promote further marketing efforts to assist corporate entities in successfully selling proprietary software. (i.e. it wasn't designed as an alternate "shareware") In fact, quite the contrary. The GPL is a means by which to ensure that good software is shared by the community as are the benefits of its open code base.
And cnce again, regarding the security (or inherent insecurity) of the box: preaching to me about the lack of default access to a shell or the use of nonstandard port numbers _does_not_excuse_ the blatant ignorance of standard security practice.
There is no argument that can excuse such neglect.
I use open-source software EVERY day, general applications and security tools alike. And you guys at SmoothWall are the _first_ I've encountered to beg for money and refuse to assist those who don't offer any. That's not GPL, that's shareware. Shit, that's not even shareware, that's worse than nagware. You give me a feature-limited product and when I ask about the product's capabilities, you tell me, "donate money for us to help you with it, pay more if you want a real version, or piss off and leave us alone."
Many of the tools I use were written from scratch by people who had to expend at least as much time and money in development as your group. Look at Ethereal, Nessus, Astaro, FreeS/WAN, OpenSSH and the OpenBSD project.
Spend a while using Trinux, whose developer has personally invested countless hours individually supporting the people who use his product simply because we've all helped him to make it better! The end result? A damn fine product! And a well-tested product at that!
You guy's need to do a little reality check, here. If you want money for the development of your project/product -- then make it SO DAMN GOOD people feel karmically compelled to send you donations. Bullying people into paying isn't gonna make them like your product, and probably won't help with word-of-mouth either. Hell, that's why we're having this discussion in the first place...
I have visited irc.smoothwall.org only once. I do feel, however, that my experience there alone was almost enough to discourage my use of the product. I joined the #smoothwall channel in hopes that I might find answers from knowledgable users or developers that I had been unable to find in any of the available documentation (all of which I read in its entirety).
Upon joining the channel, I was bombarded with the omnipresent topic, "Welcome to #smoothwall:: Please do not expect free
support if you haven't donated. http://redirect.smoothwall.org/donate"
Ignoring the blatantly anti-open-source sentiment, I proceeded to ask about features and functionality that I feel are paramount to implementation of a device designed to secure my entire network. Before anyone so much as regarded my first question, I was bombarded with "Have you paid yet?" A simple 'not yet' got me my first response: "Can't you read the f**king topc?!"
Of course, I wasn't looking for support -- simply answers to questions about the products capabilities. Off to a great start.
In the end, my questions were answered, privately, by MacGyver, whose answers unfortunaely indicated that features I think are critical in a firewall are only available in the commercial version. To suggest a few:
- No support for multiple IP's on the external interface
- No ability to write filter rules for outbound traffic
- No inherent ability to manage IDS policies used by Snort
- No immediate planned support for a stateful kernel
etc...
Granted, I could accomplish all of these tasks through custom modifications to the product -- but that would defeat the purpose of the product in the first place -- to create a secure filtering firewall that can be easily and securely managed through an integrated portable interface without the need for extensive customization.
To comment on the article posted this evening, I think that despite the article author's process for review or lack thereof, SmoothWall's response was unacceptable. To say that passwords are not shadowed because the box has but the root user would be to say that Bind and Sendmail need not be firewalled because their latest revisions have no vulnerabilities...
yet.
To say that the open-source security packages that comprise the firewall _require_ clear-text passwords is to insult the intelligence of everyone here who knows better or has found more secure alternatives to the same problems in the past. The open-source community is not ignorant, nor are we fooled by any comapny's efforts to conceal laziness.
Security is an unknown. We place our confidence in hybrid hardware and software solutions that provide protection from the exploits we've identified already, but we expect that new vulnerabilities are inevitable. We cannot neglect commonly accepted security practices because our products have not yet been broken. The correlary would be to argue against home alarms because we already have a lock on the door.
A single layer of security is never enough. ESPECIALLY for a firewall. If this were to be an end-user distribution sitting _behind_ a firewall, the lack of external access would _probably_ be enough. However, as a firewall, such neglect for security practices that have a negligible effect on performance but provide such a significant measure of protection is both arrogant and ignorant at the same time.
In conclusion, neither the product's lackluster featureset, nor it's father company's poor customer support practices would have individually discouraged my using it.
Couple those with questionable security practices, though, and I can assure you that SmoothWall will never be enough to protect _my_ network...
Slashdot Mirror
These guys are late to the party.
FYI, Adam Bregenzer released an open source framework at DEFCON this year that provides pseudo-automatic multithreading, distributed password cracking capabilities AND takes advantage of existing commercial cloud computing services (ala Amazon, et. al.). The framework is easily adaptable to any number of computationally intensive applications, though he provided hard numbers and demonstrations from his work using coWPAtty and John the Ripper.
https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Bregenzer
Damn straight! Instead of picking of FF for doing an effective job of exposing risk, we should be picking on those who run "legitimate" sites that haven't seen the need to stay on top of certificate updates. The whole point here is to make VERY clear to the user that FF is unable to determine the legitimacy of a "supposedly secure" site because the site owners haven't kept up their end of the bargain!
Anonym.OS provides the ability to automatically randomize MAC addresses at bootup. This is not done automatically, as doing so in certain environments (VMware, VirtualPC, MAC-restricted switch ports) may interfere with proper connectivity. Nonetheless, it's a Y/N question at boot time, and if Y it will be difficult -- if not impossible -- to effectively track a user across reboots, even from the same physical node.
You know, to give everyone -- especially the analysts and critics -- a little perspective on just how secure and scalable Linux is and why it /is/ so much more appropriate for the enterprise than Windows, I think we should coordinate a world-wide demonstration.
For just one day (hell, and hour would probably be sufficient), let's get everyone on the Internet who maintains a public DNS server, mail server and/or web server running on Linux to turn them off. Right? Let's turn off all of our "insecure, unscalable" Linux servers for an hour and see just how much these same critics can get done during that time.
What do you think would be their response? When there's no way to resolve most domain names into IP's, when there's no Google, no Yahoo, and no AOL, Earthlink, etc etc e-mail. Hell, even MSN Messenger won't work without proper DNS resolution. I suspect those same critics would change their tune rather quickly and reassess why most of the Internet isn't running on Windows -- because of the very same accusations, unfounded though they may be, that they're making about Linux.
BAE is now working on a transparent, ultra-thin version for windows.
HA. The only wallpaper I know of that protects Windows is 1024x768 and says "Gentoo" all over it...
I don't think you _are_ getting my point. SmoothWall GPL is not, as far as I can tell, a 'commercial product' per se.
The _different_ version available from SmoothWall.co.uk is.
I won't keep arguing this with you, because I do also understand your position, however, you also seem to have misunderstood my comments when I said that the Smoothie team has misinterpreted the GPL. I do not argue with the addition of proprietary software, or costs associated with books, media, consultation, etc. In fact, I think those are beneficial additions to the open code base, and are the things that I would certainly pay for if I'm happy with a product.
I have purchased Mandrake, RedHat and SuSe multiple times before, after already having burned the distro discs -- both to support the products and obtain the documentation and support that the retail versions provided.
I'm not gonna preach the 'whole world and all software should be free' rap, because I have bils to pay too. What I was trying to emphasize is that SmoothWall's GPL product does not very well fit the GPL bill. It is offered in a manner that is not unlike nagware or shareware.
Being open to providing helpful information to anyone who asks is what has made so many excellent GPL projects so successful. It is also what has encouraged the submission of new code from happy users and developers who have found newer and better ways to accomplish an unsatisfied goal.
SmoothWall does not encourage this. If you are, in fact, a user of their GPL software, they appear to not give a shit about your questions, concerns or suggestions. Quite the contrary indeed. The development team acts upset that they've had to give anything away in the first place, and overly conceited because they did.
And they don't act very proud of their product. Proud GPL devlopers are generally happy when other people use their products, not rude to those that do...
To rephrase your question, I haven't gone looking for support on an IRC channel. I have, however, gotten plenty of good information from helpful people that has helped me to resolve my own problems.
If I want support, I buy commercial software. I went to irc.smoothwall.org to inquire about features that were neither explicitly mentioned nor explicitly denied in any of the product documentation.
The responses that I got from the support/dev team at #smoothwall has nothing to do with any judgements I have made about the quality of the product, only the attitudes construed by the people whose hands I place my network's security in, and whom I would have to depend on for support should I choose to buy the product.
Bad atitudes and poor security practices are unrelated issues. However, they are unrelated issues that the SmoothWall folks seem to have brought together with their "GPL'd" firewall solution.
Pissed that I'd have to pay for the goodies?
I think you're missing the point. I'm an open-source advocate for a reason -- you don't _have_ to _pay_ for anything -- you support the community through donations or contributions (not always monetary) to the developers of the software that you like and use.
And you're right, I don't want to "pay someone else to do it for me" or I'd buy a commercial firewall and use commercial software for all of my security needs. However, I've generally found that _the_rest_ of the open-source community tends to produce better software than many or most commercial develpers, and I can contribute to their efforts by giving back -- either in the form of code contribution or monetary compensation if I'm able...
...and if I'm not -- nobody bitches.
In fact, I've found that many developers are happy when their users submit constructive criticism alone, which we have all been trying to do for the SmoothWall team. Unfortuntely, SmoothWall seems to resent our constructive criticism, and turns defensive when others make suggestions. If this had been the case when Linus wrote the original Linux kernel, guess what -- none of us would be using the operating system now cause it would be unrefined crap. Instead, he realized that by giving it away and letting others help him improve it, he offered the entire community the benefits of his great idea.
I also love your use of "GPL'd version" and "perfect business sense" in the same sentence. I have no problem with anyone trying to succeed in business, however, I think the SmoothWall team has misinterpreted the GPL.
The GPL was not devised as a means by which to promote further marketing efforts to assist corporate entities in successfully selling proprietary software. (i.e. it wasn't designed as an alternate "shareware") In fact, quite the contrary. The GPL is a means by which to ensure that good software is shared by the community as are the benefits of its open code base.
And cnce again, regarding the security (or inherent insecurity) of the box: preaching to me about the lack of default access to a shell or the use of nonstandard port numbers _does_not_excuse_ the blatant ignorance of standard security practice.
There is no argument that can excuse such neglect.
ASKING? How about virtually demanding?!
I use open-source software EVERY day, general applications and security tools alike. And you guys at SmoothWall are the _first_ I've encountered to beg for money and refuse to assist those who don't offer any. That's not GPL, that's shareware. Shit, that's not even shareware, that's worse than nagware. You give me a feature-limited product and when I ask about the product's capabilities, you tell me, "donate money for us to help you with it, pay more if you want a real version, or piss off and leave us alone."
Many of the tools I use were written from scratch by people who had to expend at least as much time and money in development as your group. Look at Ethereal, Nessus, Astaro, FreeS/WAN, OpenSSH and the OpenBSD project.
Spend a while using Trinux, whose developer has personally invested countless hours individually supporting the people who use his product simply because we've all helped him to make it better! The end result? A damn fine product! And a well-tested product at that!
You guy's need to do a little reality check, here. If you want money for the development of your project/product -- then make it SO DAMN GOOD people feel karmically compelled to send you donations. Bullying people into paying isn't gonna make them like your product, and probably won't help with word-of-mouth either. Hell, that's why we're having this discussion in the first place...
I have visited irc.smoothwall.org only once. I do feel, however, that my experience there alone was almost enough to discourage my use of the product. I joined the #smoothwall channel in hopes that I might find answers from knowledgable users or developers that I had been unable to find in any of the available documentation (all of which I read in its entirety).
:: Please do not expect free
Upon joining the channel, I was bombarded with the omnipresent topic, "Welcome to #smoothwall
support if you haven't donated. http://redirect.smoothwall.org/donate"
Ignoring the blatantly anti-open-source sentiment, I proceeded to ask about features and functionality that I feel are paramount to implementation of a device designed to secure my entire network. Before anyone so much as regarded my first question, I was bombarded with "Have you paid yet?" A simple 'not yet' got me my first response: "Can't you read the f**king topc?!"
Of course, I wasn't looking for support -- simply answers to questions about the products capabilities. Off to a great start.
In the end, my questions were answered, privately, by MacGyver, whose answers unfortunaely indicated that features I think are critical in a firewall are only available in the commercial version. To suggest a few:
- No support for multiple IP's on the external interface
- No ability to write filter rules for outbound traffic
- No inherent ability to manage IDS policies used by Snort
- No immediate planned support for a stateful kernel
etc...
Granted, I could accomplish all of these tasks through custom modifications to the product -- but that would defeat the purpose of the product in the first place -- to create a secure filtering firewall that can be easily and securely managed through an integrated portable interface without the need for extensive customization.
To comment on the article posted this evening, I think that despite the article author's process for review or lack thereof, SmoothWall's response was unacceptable. To say that passwords are not shadowed because the box has but the root user would be to say that Bind and Sendmail need not be firewalled because their latest revisions have no vulnerabilities...
yet.
To say that the open-source security packages that comprise the firewall _require_ clear-text passwords is to insult the intelligence of everyone here who knows better or has found more secure alternatives to the same problems in the past. The open-source community is not ignorant, nor are we fooled by any comapny's efforts to conceal laziness.
Security is an unknown. We place our confidence in hybrid hardware and software solutions that provide protection from the exploits we've identified already, but we expect that new vulnerabilities are inevitable. We cannot neglect commonly accepted security practices because our products have not yet been broken. The correlary would be to argue against home alarms because we already have a lock on the door.
A single layer of security is never enough. ESPECIALLY for a firewall. If this were to be an end-user distribution sitting _behind_ a firewall, the lack of external access would _probably_ be enough. However, as a firewall, such neglect for security practices that have a negligible effect on performance but provide such a significant measure of protection is both arrogant and ignorant at the same time.
In conclusion, neither the product's lackluster featureset, nor it's father company's poor customer support practices would have individually discouraged my using it.
Couple those with questionable security practices, though, and I can assure you that SmoothWall will never be enough to protect _my_ network...