Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Announcements

Unsafe At Any Runlevel 106

Posted by timothy from the mrs-smith's-bakeries dept.
joestump98 writes: "In an effort much like Ralph Nader's effort to increase safety standards for the car industry, The Center for Internet Security plans to pressure software vendors into shipping products with the 'highest security settings available, making them less vulnerable to viruses and hacking ...' Some of its members include Intel and Stanford. The best part is they will be releasing testing tools for all of the major operating systems, including Linux."
This discussion has been archived. No new comments can be posted.

Unsafe At Any Runlevel More

Unsafe At Any Runlevel

Comments Filter:

  • The Politics Of Exposure. (Score:2)

    by Anonymous Coward
    Coupled with this, it would sure be nice if journalists would start reporting fairly on security problems. I'm not the conspiratorial sorta type, but has anyone else noticed how most every MicroSoft-related security gaffe is reported in such a generic manner that it takes the heat (and spotlight) completely off of Redmond? A macro virus tripped by Word or a .vbs script that attacks Outlook and rips through its addressbook needs to be reported as a MicroSoft-specific virus|worm|trojan|etc. Rather, it's made to sound like a universal threat; spreading the risk across all OS's equally, instead of dropping it exactly where it belongs -- in Gate's buggy lap.
  • That's some nice trollage, right there. At least read the fscking blurb:

    In an effort, much like Ralph Nader's effort (...)

    Nader's got nothing to do with this, so take your Nader-bashing trollage elsewhere, please.
  • It's natural selection. The survive of the fittest idiot.

  • While I applaud the idea, and champion it myself, users and marketeers will resist this to the end.

    You see, security isn't user friendly.

    <sight>

    When I've tried to push a "secure by default" position in the past, the response I usually get is: "But that would be a pain for the user! Let's make the secure configuration an option. The user that really needs security can just turn it on".

    The rub is, the ones who really need it don't now enough to turn it on.

  • The thing is most OS come shipped with too many options for the average user: The reality is most people buy a full scale PC because they have this delusion that they can utilise the full capability and flexibility of it (when they clearly are unable to do so).

    However making security transparent to the user is also pretty bad: in most Windows software they do this by just getting everything running at system privilege (I haven't really come across anything that does otherwise - usually you run the setup program, at the end you reboot and next time the software is up and running automatically as system). Of course you can have installers that create user/groups but then the issue is how can you be sure those newly created accounts won't be used, and when the use have no knowledge of how many accounts there are in the system the situation isn't all the pretty either.

    I'm always of the opinion that OS X is going to end up one of the most cracked OS of all times, simply because the target users won't have the slightest clue what is happening to their computer. The same thing can be said for Windows XP. And if MS keep bundling HTTP/FTP/SMTP servers up and running by default just like Windows 2000 a lot of people will have plenty of fun.

    Actually perhaps the thing to do is to encourage all the script kiddies to hack all the Windows machine they can find, not just defacing web pages, but doing some serious damage like copying the SQL database info and send it off to the victim's competitors, then alter the data just enough to do damage but not bad enough to be noticed immediately - and after that data has been used for another few months..... well.. :)

    And after enough businesses are ruined because of all the user-friendly features of Windows perhaps people will start thinking of a more secure OS.

    Last rant: idea for a nice virus: after infecting an NT box, watch of access of .doc, .xls type files, then overwrite a few frequently accessed one with some trojans - could be quite useful hitting NT boxes also running as file servers, and infect all the 9x clients.
  • "Question... (Score:0, Flamebait)
    by GriffX (DONTjlgriffithsSPAM@MEearthlinkPLEASE.net) on 06:23 PM July 21st, 2001 EDT (#25)
    (User #130554 Info) http://www.griffx.com

    Will the leader of the Center for Internet Security be running for President in twenty years as a spoiler, handing the election to oh, say, George P. Bush that time around?
    These comments and opinions are mine and mine alone, although they shouldn't be."

    Dear moderator: A joke about Ralph Nader isn't necessarily a flame, especially since Nader was mentioned right off the bat in the story post.

  • "Whoops, disqualification! (Score:1, Flamebait)
    by SumDeusExMachina (god_from_the_machine@*REMOVETHIS*hotmail.com) on 06:37 PM July 21st, 2001 EDT (#36)
    (User #318037 Info)
    making them less vulnerable to viruses and hacking ...
    Well, you can just forget about Linux getting included in this initiative. After all, it is the most hacked-on operating system. Just ask Alan Cox or Linus.

    "Everybody knows what's best for you" - Bad Religion"

    have karma, will burn

  • Re:I like this quote... (Score:3)

    by Sloppy ( 14984 ) on Saturday July 21, 2001 @05:00PM (#69975) Homepage Journal

    How do they keep their jobs if they can't change a desktop computer's security settings?

    Most people who administrate networks, are not full-time professional network administrators. It's only 5% of their job, and the other 95% of their job is something else.


    ---

  • Re:A good thing AND a bad thing (Score:4)

    by Sloppy ( 14984 ) on Saturday July 21, 2001 @04:49PM (#69976) Homepage Journal

    But when it comes to Java, web browsing and other stuff, locking it down will only frustrate users who are used to browsers just 'working' - Imagine if they get hammered with popups about enabling cookies, Javascript, Java, etc.

    Yes, but if they disable Javascript, then they don't get the aforementioned popups. Then, as far as the user knows, everything works just fine.


    ---
  • Probably waiting for you to log in.

    --

  • Re:car metaphores (Score:5)

    by sharkey ( 16670 ) on Saturday July 21, 2001 @02:18PM (#69978)
    "Hi, I'm Troy McClure! You might remember me from other User-Ed films such as "Why Mac Users Can't Handle More Than One Button," and "Web Browsers and Porn: The Origin of RSI."

    --
  • ... is to never let it get to a C: prompt. Simply insert your favorite alternative OS install media into the appropriate drive before POST completes, and you never have to worry about all that again. Or order one preinstalled.... I dunno about *BSD, but there certainly are a lot of people [linux.org] pushing Linux boxen... and there's always MacOS, too...
  • Not much point responding to this since it's such an old topic, but there were a couple mistakes I thought I'd try to point out:

    Tom7 says:
    Yes, though this is typically only done in interpreted languages, like perl. Compiled languages (Java, O'Caml) are more likely to use execv-like system calls
    I'm not sure that that would be the case. There is a ton of code out there that uses system(3) to invoke sub-processes, despite the fact that system(3) is known to be a problematic interface from a security point of view.

    Tom7 says:
    Yeah, this is a good point. In fact, I bet my ftpd is more vulnerable to DOS attacks than wu_ftpd. (I think the user would have to commit as many resources sending data as I commit to receiving it, though.)
    Not necessarily. It is easy enough for the attacker to spoof the initial handshake of a TCP connection just by creating raw packets and writing them over a raw socket. Your server gets hit for a file descriptor per connection while the attacker gets hit for the cost of writing some packets. You'll definitely run out of file descriptors before they run out of anything unless you go to the trouble of culling old descriptors.
  • OH,
    I guess they are talking about all those other operating systems without FreeBSD secure levels's.

    Read here [freebsd.org]


  • Great! (Score:1)

    by thrig ( 36791 )
    Now all we need is a deep-sea diving company to retrieve the computers sealed in concrete blocks so the customer can actually do something with them.

    (if you want a secure computer, ...)

  • "much like..safety standards for the car industry" (Score:4)

    by nakaduct ( 43954 ) on Saturday July 21, 2001 @02:13PM (#69983)
    If this brings us closer to movie clips [dot.gov] of computers slamming into barriers, I'm all for it.

  • First, "force" does not mean only physical forces; you appear to be a fan of free markets, so I'm sure you're familiar with the term "market forces"?

    Second, as a legal fiction created by the state, Microsoft isn't subject to physical force. We could use force against Bill Gates, the Board of Directors, and/or the various shareholders and employees; we could remove property from the control of this legal fiction; we could even evoke its corporate charter (and any or all of these may be good ideas); but we cannot use physical force against a corporation.

    Third, the sophomoric "no initiaion of force" rule fails so badly that its apologists have to come up with some very creative defintions of "force". A simple example - if you sit down on my front lawn and decline to leave, you aren't using force against me.

    (You also have negelected to account for fraud, but most libertarian capitalists will amend the rule to "force or fraud".)

    Tom Swiss | the infamous tms | http://www.infamous.net/

  • Out of the box, most OSes have WAY too many services enabled. All of the manufacturers do this in the name of "Ease Of Use", another way of saying "No Security". Urging companies to tighten up their security out of the box will slowly make the internet a better place for all.

    Micro~1.oft is the worst offender, because they strive for the easiest to use systems possible. They also know that 99% of their user base have no clue about computers beyond point-and-click of the few icons scattered on the desktop. Other /.ers are covering the micr~1.oft topic in greater depth.

    Sun is also pretty bad, they've been shipping thier OSen with tons of unnecessary services enabled by default. Every solaris install has sendmail, FTP, telnet and dozens of RPC services running, and quite often the stable version of those services are old and have scripted exploits.

    Many other OS developers are in the same boat. Default passwords for unused accounts, obscure services that only 1% of the users ever even know about, and wide open services are the norm HP, IBM, Oracle, etc.

    Apple is one of the few shining examples of good systems, but that is probably less for altruistic reasons than for their user oriented paradigm. They concentrate on the desktop and user, and not on network facing services. OSX is nice, because even though the system is loaded with BSD utilities, none are enabled originally, and require user intervention to turn them on. The way all systems should be.

    This pressure group has been needed for more than a decade, because companies like Sun have blithely ignored all calls to tighten up their system from security experts and groups like Usenix and NANOG. Before, there were many voices saying the same thing, but never really united. It will be good to see name-and-shame lists maintained by a central group, then I can spend less time maintaining my own lists of evil services to destroy^Wcomment out immediately after an install.

    the AC
  • KDE shut them up.

    HAH! KDE is much slower than WindowMaker and fvwm!


    ------
  • Heh. MS software is shit, security-wise, but so is much 'nix software.

    I think if the only daemons that ran as root were wrappers that setuid()'d to other users, we'd be rid of many 'nix security problems.
    ------

  • The primary reason people don't steal things randomly is because they don't want to get arrested. Yes, some people have morals, most of society -doesn't-.

    (Maybe where YOU live... B-) )

    Actually, most people are "good" or try to be. About one in 100 (between 1-in-50 and 1-in-200) are psychopaths (apparently a brain defect that corresponds to having no concience). They generally won't be "good" unless they learn a set of rules that tells them how and find a reason that it's in their best interest to follow the rules, at least to the extent of not hurting others. Many of them do, but some don't. Another small chunk learns to be "bad" despite not having the problem.

    But these few "bad guys" can cause enormous havoc. So they have high visibility. So sometimes it seems like most of the people are "bad guys".
  • ... has anyone else noticed how most every MicroSoft-related security gaffe is reported in such a generic manner that it takes the heat (and spotlight) completely off of Redmond?

    Yep.

    And when they DO report that a particular virus or attack only hits Microsoft software they make it sound like that's because the bad guy was out to get Microsoft, completely missing that Microsoft is both the biggest and the most insecure target.
  • Hmm.. I wonder if the Itanium lets you execute the stack? Perhaps they could do some hardware stuff for 'This string is this length, and no longer than that damnit'. Quick change in compilers to add that instruction and tada -- many exploits gone and we have sloppier programmers to boot (myself included).
  • I can't wait until distributions start shipping with ACL support, and installed files come with ACLs that are as restrictive as possible. Also, with stuff like RSBAC's (www.rsbac.org) auth mechanism for fine control of setuid stuff and more fine grained capabilities control will raise the bar and make it more difficult for attackers to exploit buggy server software. Hopefully it'll be soon :)
  • Well, performance is important in a lot of situations. Businesses (often targets) will often choose performance over security simply because the cost savings are up front if you can run more on one box... security is one of those delayed savings things ("it won't happen to me" mentality). I agree that people should be using stackguard type things. I also think that we need to maintain least privilige concepts - don't let processes setuid to any user - restrict it (via rsbac), use ACLs to limit access to files to specific applications, run most programs under their own user, etc. This would stand to greatly limit the impact of buggy software.

  • Re:A good thing AND a bad thing (Score:3)

    by jesser ( 77961 ) on Saturday July 21, 2001 @02:33PM (#69993) Homepage Journal
    Ever tried to browse the web with IE set to the max security level? Lots of stuff stops working!

    Not only do things stop working, but IE continuously reminds you that you've made them stop working. All I did was disable ActiveX, and every time I visit a page with Flash, I get a window-modal dialog saying "Your current security settings prohibit running ActiveX controls on this page. As a result, the page may not display correctly."
  • I mixed up the Keyboard and Chair! Yeah, I should've previewed more. Guess I proved my own point. Haha.

  • PEBKAC (Score:5)

    by Redking ( 89329 ) <stevenwNO@SPAMredking.com> on Saturday July 21, 2001 @02:23PM (#69995) Homepage Journal
    Problem Exists Between Chair And Keyboard.

    No amount of pressuring of software vendors will make a difference. Did you look at the members [cisecurity.org] lists?!? No Microsoft, No Oracle, No SAP, No Computer Associates, No Adobe, No Red Hat...hmm, pretty weak IMHO. If the vendors really cared, they would already be members in the CIS and not have to be "pressured".

    Back to my inital acronym, PEBKAC. It's the weakest point in the chain of security. How many people do we know write their passwords in easily located places? How many people do we know download anything (directx updates, flash, Comet Cursor!)? How many people do we know still give out AOL passwords, even though the Instant Messange windows have warnings not to give out passwords? Even if software security settings are the highest, social engineering will always be able to bypass wetware security settings. I'm not even going to mention exploits in software, just read BugTraq.

    Lastly, the car analogy doesn't hold up. You don't tell car manufacturers to build tanks because people are speeding and/or driving drunk. You educate them and if necessary, punish them. True, anti-lock brakes and airbags are standard in almost every modern car available today, but automakers only put them there because of pressure from the insurance industry. But do people will die from automobile accidents? Unfortunately, yes...again, PEBSWAC (Problem Exists Between Steering Wheel and Chair).

    redking
  • Actually, Intel DOES write a lot of software, including their own programming languages, C compilers, development systems, and a suprisingly large portion of what ships with Windows, including the Winsock 2 implementation for Win98! In fact, I'm willing to bet that less than 1/3 of what we call "Windows" is actually written by Microsoft, in much the same way that very little of what we call "Linux" was originally written by Linus...
  • Make your plans now folks... if we each did what Mr. McVeigh did to hostile government and corporate elements we can be freed from this impending nightmare.

    McVeigh killed loads of secretaries, kids, and low-level grunts, but as far as I know he failed to get even one policymaker. So if you want to rid America of secretaries, kids, and cleaning staff, by all means do what McVeigh did.

    -Legion

  • Maybe this would help force people like Microsoft to do more testing to make sure that such obvious and less then obvious holes and risks do not ship or get patched into their products.

    Oh, come on! Not even bad press made them do that, what makes you think a mere law would make them change their ways?

    Stefan.

  • Security issues should be addressed by software vendors in such a way that it is transparent to the user. While this is difficult, it can be done (e.g. Mac OS X hiding root from the user while still providing multi-user UNIX security).

    Until software vendors can provide the user with a computing experience that is at least as trouble-free as the current situation, tying the user's hands with more secure software won't do anything other than piss him off.

    And, after the third time trying to find, which security feature has to be turned off so he can do what he wants (each time having turned off several features before finding the right one, though he leaves the others turned off just to be sure it keeps working), Joe Average Enduser turns off ALL security in one fell swoop, so as to never be hindered by them ever again. J.A. Enduser hassn't an inkling what each feature is about, and "frankly, my dear, I don't give a damn."

    Net result: less security than even the little now achieved.

    Oh, wait, let me guess: this idea comes from Gates, who has realised, that as long as there's an internet, he can never beat the free software people. So step 1: Make sure the default setting on any computer by law makes internet a dud, step 2: J.A. Enduser opens up his computer so wide the crackers will destroy the internet, and this time M$ doens't get the blame. Brilliant!

    The end of the 'net: Film at 11.

    Stefan.

  • No. The DMCA is about tools for defeating protection schemes to gain access to a copy-protected work.

    This is different, though it might also be illegal due to some other silly computer crime law.
  • I'm all for microsoft-bashing, but linux is no better in the security arena, it just has more security-adept users. (Apache vs. IIS, I might buy that.)

    Try installing a fresh 98 box on the internet (with nobody using it), and a fresh redhat box on the internet (also with nobody using it) and see which one gets hacked first!

  • I think this is bullshit. The DMCA is a bad law, but judges aren't stupid enough to fall for that. Next, would you argue that they outlaw crowbars because it is a tool that can be used to break into a bookstore, where copyrighted works are held?

    The DMCA is about digital copy protections like CSS and PDF encryption. It is not about reverse-engineering in general, though it dores restrict certain kinds of reverse-engineering.

    Let's make sure we're realistic about what this law covers, and fight it on those fronts. It IS a bad law.
  • An AC rebuts,

    > It's not hard to do in C, either; you use strncpy() instead of strcpy() and 90% of overflows go away.

    I hear this a lot. If it is true, then why do we still have so many overflows in new programs?

  • I don't think that's true, since it takes some deliberate work to give remote users control of your system in safe languages. In languages like O'Caml and Java, for instance, it is just impossible to run machine code that is part of the user's input. This is a property of the languages. In C it is easy.

    The kind of bug which gives a remote user the ability to execute arbitrary code is the worst kind. Those are predominantly buffer overflows and format string bugs.

    If you can show me a "natural" O'Caml program with a security hole of buffer-overflow magnitude in it (one that is "new" to O'Caml; it wasn't just as natural in C), I will believe you. Speculating that such bugs would exist is not quite convincing enough...

  • The authors of bind, wu_ftpd, IIS 5, rpc.statd, netscape, etc. are all lazy and careless? I don't think I believe that. What programs weren't written by lazy careless people?

    I think it is more because C makes it easy to make this kind of mistake.

    Moving to a safe language automatically gets rid of buffer overflows and format strings (not to mention other non-security related bugs). Then we don't need to expend the care to avoid them; we can spend our time on other security issues. That is what I'm saying.

  • I'm not sure that that would be the case. There is a ton of code out there that uses system(3) to invoke sub-processes, despite the fact that system(3) is known to be a problematic interface from a security point of view.

    Well, true or not, it doesn't change the fact that we can eradicate a more common and more difficult-to-detect security problem by switching to safe languages. Certainly we don't introduce any more in this system(3) class by switching from C to O'Caml, for instance.

    Not necessarily. It is easy enough for the attacker to spoof the initial handshake of a TCP connection just by creating raw packets and writing them over a raw socket.

    It is the operating system's responsibility to be hardened against syn-flooding, since it is what implements TCP. This is a language-independent issue.

  • I agree, but buffer overflows and format strings are the most common ones, and the ones which most easily lead to exploits.

    Calling shells with untested user-provided parameters (e.g. 'filename; rm -rf /').

    Yes, though this is typically only done in interpreted languages, like perl. Compiled languages (Java, O'Caml) are more likely to
    use execv-like system calls.

    Constructing filenames out of untested user-provided parameters (e.g. ' ../etc/passwd' - there should be more of '../' but Slashdot does not like that).

    True. This one usually doesn't lead to a direct compromise of the host, though.

    Not limiting resources (=> DoS Attacks); note that 'secure' languages are much more prone to that error because programmers usually don't care sbout size...

    Yeah, this is a good point. In fact, I bet my ftpd is more vulnerable to DOS attacks than wu_ftpd. (I think the user would have to commit as many resources sending data as I commit to receiving it, though.) However, DOS attacks are much less serious than compromises of the host.

    Trigger bugs in the environment (interpreter, compiler's RTL).

    Scripting languages: Constructing programme code including user-provided data (e.g. with perl's eval statement).

    Yes.. for this reason and the first one, I think scripting languages are also inappropriate (though not as inappropriate as C) for network applications and security-critical work.

    My overall point is -- if we can *automatically* get rid of the biggest class of security problems, why aren't we doing it? We can use the time we save checking for those bugs (and patching them) securing the programs in other ways, or perhaps optimizing them so that we get the speed some claim is necessary.

  • You know what would be good? (Score:5)

    by Tom7 ( 102298 ) on Saturday July 21, 2001 @03:47PM (#70008) Homepage Journal

    Awright, soapbox time!

    Redhat, or someone who makes a user-oriented linux distribution, should put together standard internet services which are written in a higher-level language than C. Perhaps they will not be super high-performance, or perhaps they will not have the advanced features of sendmail or bind that most users don't use. But if they're written in a safe language like Java or O'Caml (or, to a lesser extent, scripting languages like Python) we will see the largest class of security holes vanish overnight -- buffer overflows. (Also, format-style bugs, too!)

    Though I don't necessarily think this would slow them down [bagley.org] -- even if it did, I am guessing that most people would take security over speed any day. I certainly would; hardware is cheap but my time patching and responding to incidents isn't!

    I know that C is highly regarded as a systems programming language; it has many useful features in this respect. But it happens to encourage some idioms which are entirely inappropriate for network or security-critical applications. It's really not that hard to do systems programming in other languages. I kept saying this and people kept arguing with me, so I rewrote ftpd in SML [standardml.org] . It only took me a few days; maybe a bigger team or better programmers could crank these out even faster. Here is the source code [sourceforge.net] . (Also identd [sourceforge.net] and fingerd [sourceforge.net] ). These are not as featureful as their standard counterparts, but they are much much shorter, and buffer-overflow free.

    If they can't do that because it seems like too much work (I believe moving to a more modern language would be worth it anyway), why aren't they at least compiling their default installs with stackguard [immunix.org] ? This is so easy to use, and makes exploiting buffer overflows so much more difficult. The speed loss is imperceptible and existing code carries over.

    Let's leave the last 30 years of the last century behind us and move to a world without buffer overflows! If we do this, we can perhaps spend less time worrying about security (our current practices are NOT WORKING, by the way) and start worrying about more important things!

    (Yes, it's true that the sshd problem is just dumb coding and is not C's fault. However, most of the rest of this year's, and last year's big security holes come from buffer overflows. Viz: Code Red worm, BIND exploits, wu_ftpd exploits, etc...)

  • I was recently reading about the new Microsoft technologies (SOAP, .NET, etc) and I have to say that it doesn't look good on the safety front. True, the whole Microsoft Passport/crypto authentication is a step in the 'right' direction, in the sense that it cuts down the amounts of software that can be run. However, I can see SOAP giving serious headaches to sysadmins in the future.

    Knowing Microsoft, bugs will remain to exist in their software, ie Outlook, that nice newly discovered bug [theregister.co.uk] in Office XP, and so on. Presumably the same will be true of approved third party software. SOAP [develop.com] would appear to involve passing XML through port 80 ie as an HTTP request (not so bizarre in a sense)... which when you come to think about it means that a sysadmin (or any firewall software user) can no longer rely on blocking ports to secure a computer.

    Meaning that firewall software is going to have to make more of a point of scanning for content, just, but it's strange how Microsoft manage to add 'security' by constraint whilst simultaneously messing up in the other direction. It's not going to be enough to lay down the law to software vendors about 'the highest security levels' without going into 'why we use standards and don't go off doing whatever the hell we feel like just to confuse sysadmins and break firewalls'. (This might be why Schneier seems so dubious about the measure...) Having said that, congratulations to all 170 members of the Center for Internet Security for trying - at least it gives them legitimate grounds to gripe when Microsoft open new and innovative ways to destroy PCs and deliver viruses via HTTP and email...

  • You don't actually force them to do much of anything, you just open them up to lawsuits if they make a seriously insecure system the default.

    At the very least, what you need to do is make it so that the highest security level is clearly available for the default install. Much like the RedHat Firewall stuff in 7.1, that brings a pop-up that gives high-security as an option... (though a not terribly workable option if you actually want your machine to talk to the world much).

    There's the old adage that the only fully secure system is encased in cement (unplugged) and sitting at the bottom of a lake -- and that presumes you can control physical access to the lake.

    One of the fights for secure systems is to balance usability with risk. The most usable systems have little or no security. The most secure systems tend to have their usability curtailed.

    Then there's Windows, which is neither very secure nor very usable -- and the two may be related.
    --

  • Have you flamed SpanishInquisition today?

    That was unexpected ;)
  • Would tighter security by default in Internet Explorer not force Web designers to use less ActiveX, Java, etc. in their web pages?

    That would be a good thing, no?

  • Anybody notice the irony in having a restrictive terms of use for the liscence? You can't put the liscense on a computer network. How do you follow it if you can't even distribute the liscense?
  • Well, it's nice to know someone's looking out for our safety. We wouldn't want 31337 H4X0RZ all over us. Now, we have an anti-terrorist force of 31337 50F7W4R3 6U4RD5 out to protect us.

  • The DMCA is about tools for defeating protection schemes to gain access to a copy-protected work.

    Say we have a protection scheme. Call it a "share." There are copyrighted (but legitimately licensed) works on this share, but the system requires an authentication step to access the works. Now, if a fellow figures out how to get into a share without the information necessary to authenticate, he has violated the letter of the DMCA.

    It is highly likely that at the next report of a hole in Windows shares, Bugtraq will be sued for disseminating information on how to get w4r3z from an unsuspecting user who has shared the C: drive.

  • Will the leader of the Center for Internet Security be running for President in twenty years as a spoiler, handing the election to oh, say, George P. Bush that time around?
  • It's very common for vandals to subvert poorly secured computers for distributed DoS attacks. On that basis, everybody who wishes to attach a computer to the Internet has a duty of care to the rest of the Internet community to keep his/her computer up to a reasonable level of security.
  • The security of the privileged TCP ports under Unix is crazy. OK, you don't want just anybody to be able to open port 25 on a Unix box, but to restrict it to the root account (i.e. the one account which if compromised can cause maximum damage) is just brain dead. It should be possible for root to reassign ownership of TCP ports to other users (just like with ordinary files). In fact, if it was up to me, it would be impossible for a root owned process to open any TCP port (privileged or otherwise).
  • Since nearly everybody runs Microsoft software, it *is* more or less a universal threat. It would be great if the journalists could put in the line "but Mac and *nix users are not affected." in each of these reports, but all they know about computers is what they see on their own desktops each day, which is probably a Windows box.
  • I agree, but buffer overflows and format strings are the most common ones, and the ones which most easily lead to exploits.

    This is exactly backward. Those particular exploits are the most common because there are so many system programs written in languages where they're the exploits of choice, and because exploit writers have lots of practice taking advantage of them. If you switched to a different language with a different set of pitfalls, you'd find that the exploits would be different but not necessarily any less damaging or less common. There might be something of a reprieve while the exploit writers got used to the taking advantage of a new set of problems, but there might very well be more errors to find because software authors were less used to the new pitfalls they're facing.

  • Security and usability are at the opposite ends of the computing spectrum.

    That may be somewhat true, but it doesn't mean that there's necessarily a linear tradeoff between security and usability. For instance, turning off by default services that only advanced users will want to have available is a pretty good idea. Ordinary users aren't going to notice that they're missing anything, while the advanced users will be smart enough to know which things to turn on to get the services they want. The tradeoff there is a tiny bit of usability for a lot of increased security, which is a good deal.

    Similarly, switching from a well designed single-user to a well-designed multi-user system should increase security quite a bit without excessive difficulty for the users. Users will still be able to do the kinds of things that they want without risk of their files being read/clobbered by another user. When they try to shoot themselves in the foot, though, the system kindly steps in and tells them that they need help from a sysadmin to do that. I find that this is nice even on my personal system that I don't share with anyone else; I've probably saved myself more grief by having a safety mechanism there to prevent stupid errors than the time wasted by suing to root.

  • Hi guys. My roommate and I have been studying various security tools based on open source and Linux. I'm using primarily the Immunix tools [immunix.org] including the Stackguard patches to GCC, the SubDomain patches to the kernel, and the FormatGuard patches to glibc. So far, I use either the whole Immunix OS distro which is based on an updated Redhat 7.0 (almost 7.1) or Mandrake 7.2 piecemeal upgraded with Immunix RPMs. He's primarily using Mandrake 8.0 plus the various patches at Get Rewted [getrewted.net], which includes the kernel-based LIDS ACL patches, the portsentry IDS, the libsafe wrappers to glibc, and such.

    You can even install some premade Immunix packages on top of Mandrake or Redhat. I'm successfully running apache, bind, pidentd, and openssh from Immunix conveniently on top of my good old Mandrake 7.2. I got it from the nice mirror at ibiblio [ibiblio.org] and just installed them like any other package.

    There is minor overlap in functionality between the two kernel-based and glibc-based subsystems, but it seems to me that the rest of these methods are all complementary. Do any of you know of a comparison between them or any analysis of them together?

    Relevant criteria would include the development methods, objectives, and priorities such as the fact that as far as I know, LIDS and everything from Immunix only run on IA32. :( Then there may be technical superiority or optimization. They're all open source compatible so we're covered that way. Any other criteria?

    To recap:

    • either LIDS or SubDomain for kernel level ACLs for processes
    • either libsafe or FormatGuard for glibc format trapping
    • portsentry for IDS and port scan protection
    • StackGuard to compile all your buffer overflow sensitive binaries (or use those made from Immunix)
    • What else?


    ===
  • You may remember Nader and Joan Claybrook's crusade against seat belts and seat belt laws...They felt Americans were too stupid to wear seat belts. Instead, they wanted air bags, which they viewed as this magical pillow of air that would keep us all perfectly safe. In reality, Airbags tend to kill people if they aren't also wearing a seat belt.

    But, as seat belt laws were enacted, usage increased dramatically. And, when they are made primary offenses (enough to be stopped by the police without any other reason), usage goes up even more to near 80%.

    My point is, people need to know how and why to protect themselves. If we simply rely on technology and settings that come from the factory, security problems will only increase. Like airbags, good security settings are important. But they are only going to be effective when people view security as something that a proactive and responsible person concerns themselves with.

  • IT will never happen. What is Intel thinking. They don't write much software anyway. As long as strings and user entered data exsist in software there will always be a new way to exploit something. Nothing will ever be 100% secure. Besides, shipping windows in "reduced functionality" has already proven to be a pain. -Josh
  • That assumes that journalists recognize that there are other OSs out there. And that these problems aren't "Acts of God", earthquakes, hurricanes, Outlook-viruses, tornadoes, Word-macros, etc.
  • The group is developing a minimum security standard for computers connected to the Internet that vendors can follow and offering free tools for computer users and network administrators to
    test the security levels of their systems.
    Doesn't this violate the DMCA? No 'hacking' tools allowed, no reverse engineering, etc. Wouldn't a security checking tool tend to violate the DMCA?
  • I don't think that the goal is to get the government to require secure computer systems. Granted, whenever there is a "safety issue" the government tends to get involved and try to "help", but the Center for Internet Security seems to want industry partners to help each other.

    See their Charter's section on Participants in the Process [cisecurity.org], there are a few government agencies involved, but they are there in capacities which can only be filled by them. The FBI is the best to ask about how to collect data which can be used in a court of law, and one aspect of security is "get the bad guy" after he's done his deed. So why not ask the FBI how you can best support their efforts to find the guy who screwed you? Then there are the various secret-type agencies who are rather good at testing and classifying systems based upon security, so they might be good to talk to when establishing benchmarks.

  • In other news, the automotive industry has taken a cue from the software industry and implemented what it is calling "End Driver Agreements".

    Head of the Automotive Licensing League, Bob Smith, "These agreements allow A.L.L., as providers of world-class transportation devices, to offer our customers a quality product, at a reduced price. Most of our Drivers will not notice any change in their Driving Experience (TM), only a decrease in the price they pay for our top-tier products. We manage this amazing feat by removing only one feature, a feature which almost no one uses, and which costs exhorbitant amounts of money. With this near-useless 'feature' removed, we can produce our world-famous transportation solutions at a reduced cost, and pass the savings on to you, our valued Drivers."

    Opponents of the new EDAs claim that people who purchase a car and sign an EDA forfeit any and all rights to sue the car manufacturer. These opponents further claim that if EDAs were in wide-spread use, car manufacturers could all reduce the amount of money they spend on safety features and safety research, and victims of the resulting accidents would have no legal recourse. The A.L.L. spokesman denied these allegations, and that's good enough for this reporter.

    So stop complaining and sign the Agreement.


  • Which would be an excellent point if we were making an analogy , but we aren't ... we're doing metaphors today. 8^}

    Cheers!

    Zero__Kelvin, who is not to be confused with Zero_Kelvin!

  • Which licensing agreement?

    Oh, you mean the text THEY refer to as "licensing agreement" when in fact it has no legally binding effect at all (modulo some contries/states with a screwed legal system)...

  • There are a lot of another security problems than buffer overflows and format-string bugs:

    • Calling shells with untested user-provided parameters (e.g. 'filename; rm -rf /').
    • Constructing filenames out of untested user-provided parameters (e.g. ' ../etc/passwd' - there should be more of '../' but Slashdot does not like that).
    • Providing access to other users' data (e.g. relying on users not doing URL hacking).
    • Not limiting ressources (=> DoS Attacks); note that 'secure' languages are much more prone to that error because programmers usually don't care sbout size...
    • Trigger bugs in the environment (interpreter, compiler's RTL).
    • Scripting languages: Constructing programme code including user-provided data (e.g. with perl's eval statement).

    Now if these programmes even run as root because 'they are secure anyway'...

    The real solutions have to be different:

    • Divide everything into small programmes that do simple tasks.
    • Run every task in a sandbox (chroot environment, user account,...) that gives no more access than absolutely necessary.
    • Don't trust input be it from the user or another part of the system.
    • ...
      And finally:
    • Be paranoid!

    For example, look at qmail [qmail.org]'s secutiry scheme.

  • If engineers design bad brakes, they'll get sued when someone receives "damages" from their product. When software manufacturers design bad software, their licensing agreement saves their ass.....

    Thats true, and you're probably completely right. But there is also one important difference when dealing with software security. There is always a third person involved. They can say, "Hey, dont blame us. It would have worked if it weren't for those pesky hackers!"

    Many people will just accept that.

  • I'm sure you're serious. Look at the security bar in IE. They even give descriptions like "The safest way to browse, but the least functional."

    Also, check out setting a custom security level. It gives you a list of features to enable or disable. Apparantly, increasing the security in their security bar is the exact same thing as removing functionality.

    Think of Microsoft's solution to Outlook to protect against those 'viruses' like the "I Love You". They came out with a patch to disable receiving files with certains extentions. Like not being able to receive *.exe, *.vbs. It was a long list, but it really shows how Microsoft views security, and what they would do if they shipped their products at their 'highest security level'.

  • Re:How will anyone... (Score:3)

    by MrBogus ( 173033 ) on Saturday July 21, 2001 @04:19PM (#70034)
    The Outlook solution was essentially correct. It put a security wrapper on Outlook's COM API which should have been their in the first place, but all that adds up to is another warning prompt for the user to ignore and press OK.

    The root level problem is there's nothing you can do if the user insists on executing things they find in their inbox. There's a hundred ways to send mail that don't involve Outlook APIs. So, solve the root problem and get rid of executables in mail. Smart shops are probably already doing this on the server level. (And yes, it does suck that you can't turn it off.)
  • http://www.brakehorsepower.com/speedtrap/speedtrap _anecdotes.html
    No-one expects the SpanishInquisition flame!
  • Bollocks. Never drink and post... You get your cut and paste mixed up with two different things...
    I'll go to bed now...

  • This is, unfortunately, true.

    I would like nothing better than to be a full-time network administrator. However, until recently, this was a solo shop with an insane number of computers and system, with vendors who refused to play nice with one another, and a management who had (has) unrealistic expectations of one human MIS person. So I was netad, sysad, helpdesk, tech liason... in other words, 'the comuter guy.' I would almost scream when someone called me 'the computer expert.'

    Fortunately, I now have someone here to help me, but I keep hearing that management here is trying to cut corners again, and may want to get rid of him.

    It was this job which is the nail in my IT coffin, after only eight months of greymatta flambe, and it will be my last job doing IT work professionally and full-time.

    ---
    Chief Technician, Helpdesk at the End of the World

  • car metaphores (Score:5)

    by rchatterjee ( 211000 ) on Saturday July 21, 2001 @02:07PM (#70038) Homepage
    Does this mean if I run my processes at too high a runlevel and get caught I'll have to go to a school and be forced to watch a video called "Core dumps on the hard drive" to clear my record?
  • Correct. Making stack non-executable also helps without slowing anything down, unlike stackguard. Many people would argue that it's not a complete solution, because the already loaded code can be used for malicious purposes. But believe me, there is no such thing as a complete solution anyway.

  • RedHat did the right thing w 7.x by locking down most services so you had to open them up if you needed ftp, telnet, etc
    Most of the improvements in the 7.x releases are nice. I'm running 7.1 and it's pretty well locked-down. Only thing is that I don't use this box for much more than /., writing papers for school, and maintaining my website (via FTP), which means that Red Hat was still launching some services on boot that I didn't need (ssh for example)...they've made strides, but I'd appreciate something in the installer somewhere that would let me select services to start on boot (other than just cranking the firewall settings to "high" to prevent connections), instead of having to figure out what it starts and then disable things I don't need.

    But that's Red Hat's big problem, really...even the "custom" installs put junk on your system you don't need (example: I use Enlightenemnt, and mostly GNOME-based apps. I leave Qt and some other assorted libs around, but don't need KDE. What did it do? Installed a bunch of KDE packages, despite my having conspicuously not checked the box for "KDE" on the menu...first thing I do after an install is run GNOME-RPM and start uninstalling stuff).

  • And I thought I was the only one. Of all dialogs, this is the one I most wish for a "Don't ask me this again" checkbox... I even uninstalled the Flash plugin and changed file associations, but the warnings persist...

    Disable JavaScript and you'll find that many websites use it for stupid reasons -- things that could be easily done without it. Though this isn't an OS specific issue, it would still cause problems if a browser were shipped with JS disabled by default.

    Back on topic though, I don't think security should be a requirement. I just think that people will make one of three choices:

    1) Ignore security, use the "normal" OS, and reinstall every 30 days or so;

    2) Educate themselves on security (perhaps the hard way), and lock down their systems;

    3) Switch to an OS that is already more secure out of the box.

    Unfortunately, most users fall into #1... But this is the choice the user makes, and that's the important thing: the user makes the choice, not a software corporation, and not any regulations imposed on the software corporations. Things will only get better when users get smarter.

    - Jman
  • but won't work, once the DMCA is in wide use.

    The primary reason people don't steal things randomly is because they don't want to get arrested. Yes, some people have morals, most of society -doesn't-. (Yes, I look down on my fellow man.)

    As soon as it becomes commonplace (as if it hasn't) to censor any "subversive" behavior, any intelligent thinking, and any questioning of various standards (ie: PDF security), even for truly and purely intellectual reasons, ... as soon as that happens, people will became to accept and believe in the law. Right now, we still have a taste of freedom, and so we fight the lawas, as it's civil injustice. What about in another 10 years? Sure some people will still fight; the majority will just accept it.

    Don't get me wrong, I am not saying we should stop fighting. But trying to make a law to demand security won't work, because many people still believe in "security through obfuscation", and in that case it becomes a matter of either perspective or time. (The Vigenier cipher was considered unbreakable in its time, now..well it'll take a few moments).

    We should push this, but more importantly continue fighting (and more aggresively) for the repealment of the DMCA. If the DMCA stands, a pressure for security will have absolutely no effect.

    My penny's worth....
  • Interesting, looks like a birth of unix time. Probably the first second of 1970.
  • what about liability for bad programming period then. sooner or later some poor sap is going to be hooked up to some heart monitor keeping him alive only to find it's running WinCE, and core on him.
  • If engineers design bad brakes, they'll get sued when someone receives "damages" from their product. When software manufacturers design bad software, their licensing agreement saves their ass.....

  • Agreed. Security and usability are at the opposite ends of the computing spectrum. The average computer user has enough trouble maintaining and using a computer running Windows (or a Mac) as it is. Passing the burden of security along to the user is, IMO, a bad idea that will only lead to frustration.

    Security issues should be addressed by software vendors in such a way that it is transparent to the user. While this is difficult, it can be done (e.g. Mac OS X hiding root from the user while still providing multi-user UNIX security).

    Until software vendors can provide the user with a computing experience that is at least as trouble-free as the current situation, tying the user's hands with more secure software won't do anything other than piss him off.

  • Stack execution is necessary for some applications like debuggers and some system calls in linux. There are ways around it, but they are slower.
  • Maybe this would help force people like Microsoft to do more testing to make sure that such obvious and less then obvious holes and risks do not ship or get patched into their products.
  • While those settings on operating systems and other software can be changed, most computer users and many network administrators don't know how to do that, Kreitner said.

    Many network administrators don't know how to change security settings on desktop machines (which are usually some flavor of windows)??? How do they keep their jobs if they can't change a desktop computer's security settings?

    The scary thing is, it's probably true. I thought back to my college days and all my fellow CIS majors (computer info. systems). A lot of them couldn't use windows, understand "for" loops or update a printer driver, yet they got their degrees. And they are the ones who use Windows NT and IIS and Outlook because it's so damn easy to install and everything has a pretty icon for it ("ooh! a picture of a person means this icon lets me add people to the PDC... what does PDC mean?"). Not to mention they probably believed Microsoft got to the top because they made the best product, and unix is old so it must be bad.

    So considering that the quote above probably has some scary truth to it, maybe we should focus more on idiot-proofing the Network Administration population, and less on idiot-proofing servers with more security installed by default. Remember, if it's installed by default, it will always be the same solution- and that's easier to hack than a security setting that set by each individual sysadmin. Example - If a particular Linux distro by default installed the very strong root password of H8&^h3{ew and a user called user1 with password D4s^Je0* on every machine, wouldn't some less intelligent sysadmins keep those on there, figuring it was pretty strong? Then some beginner hackers could search the web for that flavor's default apache page, telnet the IP and root the machine! Just an example, but meant to point out that installing high security by default could backfire, and usually a better solution is less idiots, not more idiot-proof machines.


  • Must .. resist .. Micro$oft .. bashing ....

    OK - Now that I've calmed down....

    While I think this is a great idea, I worry that this will cause problems for average users AND I doubt vendos like Microsoft will bother. Ever tried to browse the web with IE set to the max security level? Lots of stuff stops working! RedHat did the right thing w 7.x by locking down most services so you had to open them up if you needed ftp, telnet, etc. But when it comes to Java, web browsing and other stuff, locking it down will only frustrate users who are used to browsers just 'working' - Imagine if they get hammered with popups about enabling cookies, Javascript, Java, etc.

    I'm not saying that this is a bad cause, it's a noble one, but it seems that much more work needs to be done on the underlying security risks of certain platforms vs. just running them at a 'secure' level

  • It certainly is true. The reasons why there are so many overflows in new programs are that 1) people are lazy, 2) people copy old code, 3) people don't know about it, 4) people don't care (ties in with 1).
  • I don't see shipping with everything turned off as something bad. Conectiva Linux is shipped like this for some time now. I'm pretty sure other distrubutions also are, and I never saw anyone complaining about it.
    Much better then having tens of daemons running just after a fresh install.
    And this is not even advanced security features. It's plain basic: don't leave anything running that you don't need to.
    ---
  • Mac OS X ships with most services in a default off position, FTP, Telnet, Apache.....etc. You have to turn them on yourself to start using them.
  • Too bad REAL Network Administration IS a fulltime job. Maybe others can find the time to update their systems between lunchbreaks.........oh thats right they don't!
  • In an effort, much
    like Ralph Nader's effort to increase safety standards for the car industry, ...

    Nader has nothing to do with this. And did Dubya ever have a real job?
  • Chryslers are the ones that are easy to steal ;)

  • I thought metaphors were on Tuesdays?

  • making them less vulnerable to viruses and hacking ...

    Well, you can just forget about Linux getting included in this initiative. After all, it is the most hacked-on operating system. Just ask Alan Cox or Linus.

  • You wouldn't be saying that if it was your mom in the building when Mr. McVeigh did what he did. and to the moderator that said this was insightful: go fuck your self.
  • You're suggesting that in protest to the government we should each blow up a building in a huge city, killing over 200 innocent people? I don't think so. This may be America, but free speech doesn't mean you can just go blow up hostile government and corporate elements to make a point.
  • force people like Microsoft

    force is no way to deal with ANYONE. any civilized society has to agree that no one may initiate the use of physical force against anyone. If Microsoft wants to release unsafe, crappy software, they should be able to release it under their terms. force is not an option.

    Persuade microsoft. Use your wallet. Publish articles. Write better software. do everything, but do not demand, by physical force, that microsoft must produce under your conditions, or anyone elses.

  • If we don't use our wallets, what should we use?

    The alternative is force. Either force or persuasion, your choice. Force is the antithesis of life. You and I may agree that security in some software applications, and the OS'es they run on, is horrible. But consensus among two (or two billion) individuals does not give right to those individuals to force a third to believe it. Nor does it give us or anyone the right to dictate how businesses must be run. businesses are methods of survival (since it is not automatic) for many people. To tell those people that instead of making choices they deem right about their company, that they must follow your order, is wrong. It tells people that their survival hinges on your force against them.

    Individuals should deal with each other as traders, not as ruffians who use force.

    By the way, what is greed? You didn't define it. If greed is seeking better and still better ways to make products, survive, thrive, seek individual happiness, be innovative, etc, then I think it's a pretty damn good concept. The desire for money is a desire for survival, and then an increased level of comfort and enjoyment. Since money can't be forced from people, and has to be taken by trade, it's as moral an existence as you could hope for. Your choice: dollars or guns.

  • Hasn't anyone picked up on the fact that this company pushing to "secure and protect us", is one of the major companies just looking for an excuse to implement CPRM [theregister.co.uk] (the free software killer) on our computers?

    Hmm....spooky. l wonder what a good way to stop "virus-infected pirated software" will be...
  • Dear Company X, We have noticed your software does not ship with ROT-13 encryption. We must STRONGLY urge you to enable your ROT-13 encryption by default so the world will become a more secure place!!
    • Imagination is more important than knowledge.

  • Re:PEBKAC (Score:3)

    by Dutchie ( 450420 ) on Saturday July 21, 2001 @02:32PM (#70069) Homepage Journal
    Euhhhh... doesn't PEBKAC relate to cybersex then?!?! Maybe your acronym is slightly uhh uhm.. never mind :)
    • Imagination is more important than knowledge.
  • I distrust fnord someone like fnord Nader, who has never held a fnord "real" job in his life

    Were you going for an ad hominem attack here? Consider this: Is CEO a "real" job? Nader and other consumer advocates are at least responsible enough to do for consumers what consumers should be doing for themselves.

    , and like knows less about computers fnord than the average marketer to now suddenly want to fnord author regulations for software production

    He's not trying to tell them how to design their products. He is making our government aware that there is a minimum acceptable level of safety for any and all consumer products. We all have become too complacent after years and years of buying and using defective commercial software. If you read slashdot at all, you will know how just how defective these products are and the havoc that they can wreak [slashdot.org].

Slashdot Top Deals

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Close