Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Announcements

FreeVeracity: Network Intrusion Detection 112

Ross Williams writes: "FreeVeracity is a new free intrusion detection tool for free platforms (GNU/Linux, FreeBSD, NetBSD, OpenBSD, etc.) that uses cryptographic hashes to detect file changes that may indicate a network intrusion. FreeVeracity can be run standalone or in a client/server configuration (on TCP port 1062) that enables you to monitor the integrity of hundreds of computers from a single point. FreeVeracity is also an excellent general-purpose data integrity tool with over ten different applications. FreeVeracity is released by Rocksoft, vendor of the Veracity data integrity tool used to secure the networks of leading global companies in finance, communications, transport, aerospace, power generation and defence. FreeVeracity is released under the Free World Licence which provides all the usual free-software freedoms, but for free platforms only." Looks useful.
This discussion has been archived. No new comments can be posted.

FreeVeracity: Network Intrusion Detection

Comments Filter:
  • By always ignoring the small cracking jobs by petty crackers as an axiom, you create a wide open training ground... a gov't sanctioned terrorist camp, if you will, where crackers can practise their new attacks to perfection before unleashing them on "the big boys" of the internet.

    Had little johnny been smacked for h4xx0ring some cablemodem users' boxes, he wouldn't heve gone on to feel invulnerable enough to take on yahoo.com.

    Law enforcement should target the lower levels of crackers rather than to react to panic when the problem crescendos into chaos at the higher levels.

    They could've stopped the big cracking it before it ever started.

  • Am I the only one left who wants to keep govt's of the net? I don't see why it's needed. If it can be solved with tech, why let a bunch of people who are 95% clueless get power? Govt's are nice in meatspace, not here.
  • ``But when the 6.02e23rd victim of the LOVEBUG emails them... they just don't care anymore.''

    I agree that a common security hole won't cause a huge stir in the security world, however it is important to at least know how your machine was compromised. . . especially if you're not a security expert yourself. While they may not ``care'' per se, someone would be at least kind enough to point you in the right direction in terms of a solution.

    Then again, it could be a new exploit that does need attention. You never know until the situation has been assessed by someone who knows what they're looking at.
  • by Anonymous Coward
    The product is nothing more than a file integrity tool. We've had Tripwire, L5, and other tools that do the same thing for years. Their web site is so full of hype. "intrusion detection system", "firewalls", "protocol and file standard",!!!.

    They provide a way to remotely check the integrity of files. This is something that the latest commercial version of Tripwire does as well. While this is handy when you want to keep your eye on a few dozen or hundred machines it can easily be defeated by an intruder.

    Data integrity tools are useless if they are running on a hostile environment. And the second the machine gets broken into thats what it is. The intruder can modify the kernel to return the right file content to the data integrity tool but not to anything else. He can shutdown the tool and replace it with one that reports everything is fine. Etc.

    The only time you can know for sure that a data integrity tool is telling you the truth is when you have booted from clean media and are using file hashes that have been stored in read only media and could not have been tampered with.

    Maybe every computer need a secure coprocessor running security software that can act independanly from the OS and primary CPU?

  • Now I know to block out port 1062 on my firewall. I can foresee hackers "monitoring my computer's integrity."
  • No I think he is calling it a Jeep, because people understand Jeep.
  • For linux get nmap. Then get knmap or nmapfe to provide a gui front end if you like. Nmap is the best *nic port scanner around.
  • You should FIRST read all the security updates for your distribution otherwise you'll probably get rooted again. One of the most common exploits going is a "named" buffer overflow, so don't run a DNS unless you've got to and until you've upgraded to at least BIND 8.2.2-P5 or use DJBDNS. Learned this the hard way.

    qmail [qmail.org] is an excellent choice for securely replacing sendmail.

    DJBDNS [cr.yp.to] may be of some help.

    ipchains [unc.edu] is your friend...

  • The source is available, but it doesn't appear to work with the standard linux toolkit (gcc, make, configure, perl, etc.). It requires something called [freeveracity.org]FunnelWeb [ross.net] (which appears to be some sort of literate programming aid) to build.

    Since Funnelweb isn't already installed on my box and I'm too lazy to be bothered with it I guess that I'll miss out on FreeVeracity, at least until someone releases a version in straight C (something that appears to be permissible under the license).

    daniel

  • I think the reason that it's only 'free on free platforms' is that they still want to sell their commercial version, which is likely the same as the free version, without the 'Free' in the title.
  • Rocksoft isn't the first commercial software company to release a "free" version of their software. They're not even the first computer security company to do so. They're not even releasing a particularly interesting tool. And, looking at the license, they're not even open- source.

    People in the open-source community work hard to bring tools that are more interesting than "Veracity" to market every day. I don't hear about the most recent release of FreeSWAN here, or the latest news on Nessus. I could probably to go Freshmeat and find several tools that do exactly what Veracity claims to do, too.

    Of course, even if that Freshmeat fodder was a 0.0.1a-release written in Perl, it'd be more trustworthy to me than "Rocksoft's" proprietary stuff.

    And, incidentally, "Veracity" isn't "network intrusion detection", at least not under the common definition. It's file integrity monitoring, and in this case it's distributed. Rocksoft seems enormously impressed by this fact, advertising their newly allocated TCP port number as if it was an endorsement from IANA.

    "FreeVeracity", like this Slashdot article, is nothing more than advertising for a (lame) commercial product.

  • Oops, didn't mean to hit that button. Here are better links.

    The source is available [freeveracity.org], but it doesn't appear to work with the standard linux toolkit (gcc, make, configure, perl, etc.). It requires something called FunnelWeb [ross.net] (which appears to be some sort of literate programming aid) to build.

    Since Funnelweb isn't already installed on my box and I'm too lazy to be bothered with it I guess that I'll miss out on FreeVeracity, at least until someone releases a version in straight C (something that appears to be permissible under the license).

    daniel

  • Give the story submitter a break. He's from the company that makes the product, he's problably been brainwashed into it... FreeVeracity this... FreeVeracity that... FreeVeracity and the kitchen sink... Trust me, I've done the same thing.
  • Fascinating.

    The Free World License is hypocrisy itself on paper; a license can't be Open-Source if it's under a discriminatory license.

    But this does lead to an interesting point: what if someone were to port this to Darwin? Darwin itself is Open-Source. However, if it runs on Darwin, then it should also run on OSX (the core of which is Darwin). But OSX isn't entirely Open-Source, only the core. However, one could say (and actually argue fairly well) that Darwin is really the operating system, and "OSX" is just Apple's value-added stuff on top of it. So is an OSX port legal or not?

    Just something to think about.
    ----------
  • Hmmm... Two free pieces of software I can think of off the top of my head are Lynx and vim. Both are quite Mac friendly. But IIRC, both require you to use MPW to compile...

    Vi IMproved: http://www.vim.org [vim.org]
    Lynx: http://lynx.browser.org [browser.org]

    Any other examples?

    --Matt
  • chattr +i filename

    this marks a file 'immutable' so that not even
    root can modify it. Then as I understand it using
    secure levels you can make it impossible to -i the
    file without a (logged) reboot.
  • This reminds me of a paper I came across yesterday:

    "Incremental Hashing With Application to Virus Protection" STOC '95 M. Bellare, O. Goldreich, S. Goldwasser

    ftp://theory.lcs.mit.edu/pub/people/oded/
    bgg-inc2.ps

    It describes a signature scheme with an "incremental" or "fast update" property. They claim that this signature scheme is ideal for settings in which there's a very small amount of trusted memory and CPU available to a virus monitoring program.
    Tripwire style IDS seems to be extremely similar.

    Anyone implemented this sort of thing or know if it's being used in a commercial product?
  • I have a habit of trying to eliminate pronouns as they tend to lead to ambiguity, but I obviously overdid it in this case!
  • Hello. Rocksoft does not assert that FreeVeracity is the ONLY network intrusion detection tool that you'll need. You should still deploy all the boundary and packet based tools too. FreeVeracity is only part of the solution, as are most tools. So it's still correct to classify FreeVeracity as an intrusion detection tool.
  • Is anyone aple to explain why one should dump tripwire 1.2 for this product?
  • I agree that a common security hole won't cause a huge stir in the security world, however it is important to at least know how your machine was compromised.

    But I want... yes... VENGEANCE!!! Not to help make some 3rd party richer as a result of a wanton criminal's successful crime and my anguish at being violated. That's the leech talk of a lawyer... you BLOODSUCKER. You're not helping anyone. You're just sucking us both off.

  • When someone who logs in from one of 3 places repeatedly over several months suddenly starts showing up in the logs as logging from somewhere new or very far away, then you get suspicious.
  • From now on my programs will be released under a similar license: The software will be completely free, but you will only be allowed to run it on MacOS.

    what? free software on a mac? this is a first... almost anything useful i can find for macos is usually shareware/crippleware/etc.

    in all seriousness, though, macintosh is a consumer based platform. the most likely reason that there is no free software for it is simply the fact that people who use that platform aren't interested in developing free commercial quality utilities in their spare time for fun (with is more of the case on free *nix based platform.) Therefore, it would almost be futile, at least for the time being, to release onto that platform.

    Additionally, a fear many companies have with releasing source is that 'why would anybody pay for the product when the source is avaliable'. I know i would most likely have simular worries. This licence gives the developer a chance to both a) release the source to a community which would most likely go though it, find security problems, improve it, etc., and b) test the open source concept with a smaller group, while not 'risking' their main income (being the windows folks). Having a way to cautiously try open source before releasing everything open, as to assure themselves that it is a Good Thing, may be the key thing many companies need to disclose their code, which really helps us all. This is why i see this licence as a potentially good thing.
    -legolas

    (ps RMS ate my balls... i love GNU software, and i'm a fan of the GNU licence, which is what i release anything i make under it. And which is one of the reasons I run Linux instead of Windows. However, not everybody in the world is so 'enlightened' ;^)

    i've looked at love from both sides now. from win and lose, and still somehow...

  • That's the leech talk of a lawyer...

    How so? If my machine was compromised and I didn't understand how it was exploited, I would want to find out how it was done so I could patch the hole ASAP. If everyone else learns from it as well then all the more power to them. Security cannot be effectively developed by obscuring knowledge. And no, IANAL.
  • So, you get root on a computer running free veracity. You tell it to update the hash table and the admin is none the wiser. We prefer to call it deleting the log file.
  • They could have rootkit'd your box already, checking the integrity of files now is too late. My box was hacked within the first week of installing Linux (that was fun...). I just formatted and reinstalled the whole mess and this time turned off most all of the services, since I had no idea what the weak link was and what the hell they had done to it in the mean time.
  • Actually, it's not unlike some of the licenses that Microsoft provides with some of their beer-free add-ons. You're free to use the software, but only under Windows.

    I can see why ESR and RMS don't like it.

  • A friend of mine uses the Windows programs Blackice [networkice.com] and ZoneAlarm [zonelabs.com] but I'm curious as what (preferably free) programs one can use to detect port scans and intruders under Linux and BSD?

    I have heard of Tripwire. Does any one have any experience running that one?
  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Saturday August 26, 2000 @08:35AM (#825840) Homepage Journal
    Yawn. Who needs it? It's not a very complicated tool, there is existing Free Software that duplicates its function. Folks, this is another file checksum program, not rocket science. It adds yet another incompatible license for people to deal with.

    Bruce

  • Didn't know about aide, so I checked.

    From a very fast scan, looks to me that aide lacks the 'networking' feature, which I think is basic in a product of this kind (even if the authors plan on adding it). Couldn't an attacker just rebuild the database after mangling your system files? How are you supposed to protect the hash database if not storing it elsewhere?

    In this sense, this stuff seems better than aide. I don't think that using a custom port/protocol was the right choice anyway. I'd better stick with ssh/scp for obvious reasons.

    Let alone the licensing...
  • I don't call my car a Chrysler/Toyota/American Motors Jeep*.

    * - I believe that Jeep used Toyota transfer cases in their 90's model Cherokees and Grand Cherokees. That's a pretty important part of a 4WD vehicle, dontchathink


    so , you are calling your car a Toyata, right?
    after all you are naming your OS after only one important part.
  • At no point has NFR *ever* been open source. Its source code has been made visible, at times, under extremely restrictive licensing terms similar to those used by the Gauntlet firewall. While this is better than keeping the source closed (it allowed me to find and publish a remote root hole in the software, which might otherwise have gone undetected), it's not even close to open source --- I still have to pay to use the software, and I cannot derive from it.

    Bruce Perens brought up the same issue, with regards to Gauntlet, in a rebuttal to Elias Levy @ SecurityFocus's article questioning the value of Open Source to security. Perens' point applies just as much to NFR as to Gauntlet: what incentive does the community have to do QA on Marcus Ranum's commercial software?

    I realize this is a tangent, but many people have this misconception about NFR.

  • Actually, the submitter is the CEO of Rocksoft and the text is the readme from the Veracity website. But since it's free as in speech, I don't have any problem with blatant advertising.

    --

  • what? free software on a mac? this is a first... almost anything useful i can find for macos is usually shareware/crippleware/etc.

    As a Mac and Linux user, I've thought a bit about the reasons for the lack of much free/open source software on the Mac.

    Certainly, a major impediment is the fact that most Mac users aren't hackers but consumers who don't have much interest or ability in improving their software. I'm not sure what, if anything, can be done about this. I suppose another factor is that most development on the Mac is done using CodeWarrior or another commercial IDE, which further restricts the people who can do anything meaningful with the source to an application; I admit to not being the most knowledgable person in the field of Mac devlopment, but I don't know of any open source/free (speech) compilers on the Mac.

    But I suspect that another main reason little free software is developed on the Mac is that people are unaware of it. I had been a Mac user for many years before I had even heard of 'free software' or 'open source', let alone understood why it was a good thing. It wasn't until I started using Linux that I became aware of such things; perhaps with the attention that Linux is receiving in the media, more people may be somewhat more aware of the free software movement, but most probably don't understand it more than superficially.

    This is one reason I'm opposed to the Free World license. If we want to make more free software available, restricting it so that it can't be used by users of a non-free operating system won't help. By allowing everyone to use it, more people will be exposed to free software. They may only use it like any other program, which is necessarily a bad thing, but they might well learn more about free software and perhaps be influenced to write free software of their own or switch to a free operating system.

    On an unrelated note, I also find it a bit troubling that the Free World license pages tout the fact that they were 'Denounced by Richard Stallman' and 'Rejected by Eric Raymond' as though those were things to be proud of...

  • Ok, this looks like something worthwhile to try. Though I have a few questions. First, does anything it use run as root? It opens TCP port 1062 (accessible by normal users), but perhaps it needs root access to some other root-only system files (this would be my guess).

    Also, does this sort of program work well with Portsentry [psionic.com]? Also, it'd be nice if this FreeVeracity client program acted in a similar fashion to LogCheck [psionic.com] by checking the syslog-generated files. Then you could use one program to monitor critical file changes, illegal port scans, attempted hack-ins, everything in one bag. Perhaps FreeVeracity provides more functionality than I'm assuming though. I'd like to hear what anyone has to say.

  • by Legolas-Greenleaf ( 181449 ) on Saturday August 26, 2000 @10:17AM (#825847)
    not quite... nmap is a port scanner, not port scan detection software. (although, i must say... a machine doesn't really feel setup until i have a copy of it on. =^) i frequently use nmap to see what open ports i have and firewall out or shutdown programs as need be.

    for detecting portscans, the first program to come to my mind (and that i have had some experience using) is portsentry [psionic.com]. It binds itself to a number of unused but frequently scanned ports (1, 12345, 31337, etc) and you can change the list. you can also set it up to automatically respond (add the person to ipchains or whatnot). care should be used in setting up portsentry, though. i've seen attacks where people make scans with forged ips, and the automatic reponce automatically firewalls out your own ip, your router, your nameserver, you mailserver, etc.

    hope this is useful.
    -legolas

    i've looked at love from both sides now. from win and lose, and still somehow...

  • Well, from my point of view, having closed source software listening on an open port is unacceptable.

    Protecting the database is clearly the cornerstone of any software of this type working. The way I do it is I keep the database on a (physically) write protected floppy. I have a cron job that runs the binary from this same floppy and emails the results to root. (I have even considered putting a second fdd in the system and physically cutting the WE line on the ribbon cable.)

    Another alternative would be to burn the db out and then put it in a CD-ROM (note the "RO" in ROM.)

    Or you could keep it on a floppy and check it by hand.

    -Peter

  • The reason why it's V3.0 is because this first-ever release of FreeVeracity is directly derived from Veracity V3.0. Veracity is a commercial data integrity tool that has been on the market since 1994. I agree that FreeVeracity is only one part of the security solution. I believe that it is a very important part though because it's the part that will save you if all the other parts fail.
  • Floyd,

    Explain the logical differences between your attitude towards this and -for example- someone breaking into your home and stealing stuff from you.

    By your line of reasoning, the police really shouldn't be involved in any sort of break and enter or property crime. If you can't secure your residence, TS for you.

    If the above is what you're implying (which I assume it's not, since you seem to think authorities should involve themselves with a certain size of entity (what's the cut-off by the way, 100k+ revenue per year? less/more?)) I certainly hope you're never in a position of power in any government.

  • Legolas, you are right, thats what I get for replying without thinking. Portsentry is good, especially in conjunction with logcheck. BTW, have you set up a time with Gimli to visit the Glittering Caves of Aglarond? Seems he went to Fangorn with you and you haven't been to eager to go back to Helm's Deep with him. He won't stop pestering me!
  • Hello. I just want to say that the only reason I mentioned Veracity in my announcement was to make it clear that FreeVeracity was a derivation of an existing tested commercial product rather than being brand-new code that everyone was likely to spend the next few months debugging! I wasn't trying to sneak through an advertisement, but I'm not sad if it's ended up as one!
  • FreeVeracity can be used/configured in MANY different ways and for many different applications. If you deploy it for intrusion detection using its network features, then the snapshot file ("hash table") is actually stored on the central checking client, not on the machine being attacked. So this is not an issue. Furthermore, you can get more than one client to check the target machine, so that there is more than one copy of the snapshot for the cracker to have to update.
  • But shouldn't intrusion detection be at the point of entry? Open ports, terminals, ect? It seems to me that if you have these areas locked down, this may be overkill. Or am I missing the point?
  • The Free World Licence allows distributors to charge a copying fee just like the GPL. So this is a non-issue.
  • How does this program tell the difference between an intruder modifying files using a real/spoofed login and a normal user modifying his own files that he should be modifying? Or is this program not designed to catch that?
    ---------------
  • The significant new thing is that FreeVeracity implements a new network service called an integrity server. This is a service just like FTP or HTTP or News or Email except that it serves integrity information in a standard form. There are very many ways of using an integrity server, just as there are many uses for FTP and mail. Security is just one application. An example of another application is the comparison of online and offline copies of a web. FreeVeracity defines a new multipurpose network service and provides a production-quality implementation for free platforms. As far as I know, no other software has taken this flexible well-defined new-network-service approach.
  • by v4mpyr ( 185039 ) on Saturday August 26, 2000 @05:09AM (#825858)
    FreeVeracity sounds cool. FreeVeracity should be put on all my linux boxes. FreeVeracity might someday rival TripWire. FreeVeracity story submitters should learn to use pronouns. ;-)
  • It still makes sense to be a little paranoid. Securing a system from the beggining [i.e. open ports] is of course a good idea, but it is also a very good idea to catch any alterations after the fact.

    Still, there is always
    rpm --verify -a
    ...which uses a MD5 hash to check for alterations in files, for those of you who always wondered why /var/lib/rpm took up so much space
    But, of course, rpm could be among the compromised files, if someone has hacked root on your system. But, of course, so could 'veracity', I imagine, although perhaps having it run remotely on a network could make things harder for an intruder.
    --
    man sig
  • Hello there. You can choose to run FreeVeracity standalone or as a server either as root or as an ordinary user as you please. It just depends on what you want FreeVeracity to be able to see. If you want it to be able to see all the files on the system, then you'll have to run it as root.

    I'm not sure how FreeVeracity would work with PortSentry. However, if you use FreeVeracity's T.data feature to monitor logfiles, it will email you the logfiles differences, so yes it can be used to centralize the changes of a few different logfiles in one report, if that's what you meant.

  • Thank you. This is my position too. I'm not advocating the Free World Licence as the best licence. It's just another licence, but it's one that (I believe) is usefully different from existing mainstream free software licences and which provides another option for those thinking of releasing software under a free licence.
  • by SlushDot ( 182874 ) on Saturday August 26, 2000 @05:12AM (#825862)
    Why is it that whenever [big internet site] is cracked, many 3 letter agancies "go after" the crackers with a great zeal and spend millions to try them, and sieze their hardware, and bar them forever from a career in computers....

    Yet when my box is cracked and my credit card numbers stolen, etc., calling anyone (police, FBI, etc.) gets a "why are you bothering us? You're lucky we don't prosecute *you* for wasting our time with such trivialities." attitude?

    Is cracking illegal or isn't it? Who do I report it to when I'm hit? What gov't/state/municipal entity defends me as defends amazon or CNN?

  • I agree with a lot of what you say. The main reason why the licence is the way it is in relation to commercial emulators is because excluding them resulted in a much more conceptually simple definition of "free platform".

    If you can form a concrete proposal for how the licence might be modified, I'll look at it.

  • You are missing the point... You should do intrusion detection after the fact, as well as take whatever prevention measures you can such as turning off unnecessary services, etc. If you really want to keep your systems secure, there is no such thing as overkill...

  • Most file based intrusion detection systems let you specify what directories/files are/aren't checked for changes. Something like user's files in their home directory would probably not be something that would be watched. Other stuff like log files would also be excluded, because they are expected to change. Things like executables in /bin /usr/bin and config files in /etc are examples of the things that are important to watch for modifications to.

    Unfortunately, this means that there are still places that intruders can hide files, but it doesn't mean that this type of tool isn't useful.

  • There is no hippo crazy here as the Free World Licence explicitly does not claim to be "Open Source". Go read it! Near the top, it explicitly says so!

    I don't have an easy answer to your Darwin question, but I would guess that Apple will not be releasing OSX under a free licence, so therefore it will not be a free platform even if it is capable of running executables that run on free platforms.

  • Reminds me of Network Flight Recorder [nfr.net] which used to be open source minus the signature files contributed by l0pht [l0pht.com] which were under copyright. I believe NetworkComputing magazine did a test on IDS systems a while back and found that many were not mature enough to depend on for security. Though allowing people to help with the project will go a long way in keeping it up to date.
  • >How does this program tell the difference between
    >an intruder modifying files using a real/spoofed
    >login and a normal user modifying his own files
    >that he should be modifying? Or is this program
    >not designed to catch that?

    Not familiar with this particular s/w, but with this sort of thing you can generally pick and choose which files/directories to watch. You're not going to bother checksumming /home because you don't really care.

    And if you're the admin, you're going to remember what you did. If you add a new HD or something and get an alert the next day saying that /etc/fstab has been modified, it (hopefully!) won't be a surprise. It's the file changes you can't account for that you're supposed to worry about.

  • by v4mpyr ( 185039 ) on Saturday August 26, 2000 @05:19AM (#825869)
    Your best bet would be to head over to SecurityFocus [securityfocus.com] and get on their ``Incidents'' mailing list. Give a thorough explanation of everything you know along with any recoverable (and relevant) logs. There's hundreds, if not thousands of security professionals on that list who would gladly help you out.
  • oops, seems like only nfr.com [nfr.com] works now
  • by 0xdeadbeef ( 28836 ) on Saturday August 26, 2000 @06:31AM (#825871) Homepage Journal
    How do they indend on enforcing this "Free World" license? If you've got source, you can port. If it's really free software, how can they stop you from distributing that port? "Oh, these windows ifdefs? Those are for running it under WINE, a bona-fide certified justified free software application that runs under free operating systems."

    Doesn't this just become another shrink-wrap license? I think most of us are not idelogically opposed to copyright per se, but are opposed to selling things with strings attached, aka "licensed", because of the obnoxious power it gives vendors over how we use the things we buy. Even the GPL doesn't tell you how you must use a program, it simply says "give back what we hath given you".

    This license is foul, for that reason, and because it almost seems to willingly encourage relegating free operating systems to the hobbyist niche. It basically says you can make a profit on your work through traditional licensing frees, and toss a bone to free software enthusiasists at the same time. But what happens to your profit when free operating systems become the norm? If your revenue model is dependent on selling to proprietary platforms, you've screwed yourself by promoting free platforms. So you won't promote those platforms. In fact, why even release a free version at all?
  • Anyone here who has actually used it? What's your opinion?

    Founder's Camp [founderscamp.com]

  • by Anonymous Coward
    The *exact* same thing happened to me yesterday -- I found '9704 stream tcpnowait root /bin/sh sh -i' in my inetd.conf, too. It was a brand new box that I hadn't really finished installing yet (and had not yet turned on appropriate security).

    What's going on?

  • by Legolas-Greenleaf ( 181449 ) on Saturday August 26, 2000 @05:20AM (#825874)
    This is an interesting sounding licence. It works such that the program and it's source is free as beer for operating systems that the main system componets and their source can be freely downloaded (linux/*bsd/freedos/etc.), and not free for commercial OSs (irix, aix, windows, etc.), which also includes emulation of a free system on a not free platform.

    this approach has an interesting motivation - this way, they can experiment with open source on the more 'hackerish' OSs, while still maintaining their commercial customer base on the commercial systems.

    This licence seems to be borrowing various parts from the GNU licence and the FSF licence. I think this is somewhat a good thing, because it gives us who like to tinker with the code a chance to get at it (and for free!) while not risking the majority of their income (from serious commercial vendors). Perhaps we may see this approach to opensource used more in the near future. and it may encourage more and more companies to release their source, which is kinda cool, i think. also, it could be a starting step for companies to start releasing source, between not-at-all and full-disclosure.
    -legolas

    i've looked at love from both sides now. from win and lose, and still somehow...

  • How is this single product announcement newsworthy? It's not even a marginally new category of product. So hard up for material that Slashdot posts random product launch press releases now?
  • you got it slightly wrong, but it's not necessarily your fault because that website contains ambiguous use of free: it's not free as beer, it's free as speech. With "free as speech" software, you can charge money for it, but you cannot restrict other people's right to copy it. It's like the GPL except it has the extra restriction that you may not run it on a non free-as-open-source operating system, and because it is a click-wrap contract, not simply a license to use copyrighted material.

    BTW, the annotated explanation of the license contains the erroneous assertion that licence is a verb and license is a noun [m-w.com].

  • Without GNU, Linux would be a hacked clone of Minix. With GNU, it's a genuine alternative to other commercial/free Unix systems.
    Give credit where credit is due, dumbass.

    I'm sick and tired of this argument. I don't call my car a Chrysler/Toyota/American Motors Jeep*. I don't call my computer an Intel/Asus/WD/Esoniq/Advanced Gravis 466. I don't call my daughter Andrew/Vanessa Katie.

    Yes GNU is a big part of Linux. You don't pollute the name of a product after the fact just because it was possible through a third (or fourth or fifth...) party.

    If Linus called it GNU/Linux I may think otherwise. However he didn't, and I don't stroke other people's egos just because they feel that now that what they helped with is popular they should get some face time.

    * - I believe that Jeep used Toyota transfer cases in their 90's model Cherokees and Grand Cherokees. That's a pretty important part of a 4WD vehicle, dontchathink?

  • by Anonymous Coward
    That's why you copied the snapshot file over to your favorite W.O.R.M. = write once read many medium when you ran it... In a quick look over the FV website I didn't see any specific support for WORM or loghosts, but since it appears the snapshot is just a file once it's made you can treat it just like your regular logs... Now, why snapshots aren't just deposited in /var/log or /var/adm by default instead of scattered about the filesystem is a good question...
  • without oxygen, earth would be lifeless. so, do you call it "oxygen/earth"?

    without C, most GNU tools would not exist: do you call them C/GNU?

    I could go on, but you get the message. You should take a course in linguistics and you'd realize that the morpheme "linux" has all of the meaning you prefer associated with it already. The morpheme pair "GNU/Linux", BTW, does contain an extra semantic bit in that it classifies the user as coming from a particular side of this debate. Therefore, it would actually be an error for that AC to use it if that is not her belief.

  • by Peter Eckersley ( 66542 ) on Saturday August 26, 2000 @07:07AM (#825880) Homepage
    If it's free only for free OS's, then it's non-free if you go by the Debian Free Software Guidelines (as I do).

    Before I start this, I should just state for the record that I am a very enthusiastic Debian user, and a wholehearted DFSG & FSF supporter.

    I thought for a long time about writng a Free World style license, simply because I resented the fact that Windows users could take almost any Free code I wrote and use it, while I couldn't use closed source Windows programs with anything like the same degree of ease.

    Ross Williams (author of the Free World license) states on his Free World pages [freeworldlicence.org] that he sees the only difference between his approach to licensing and that of the GPL as "strategic". One approach to freeing the world's software is to exclude non-free platforms from using the free code base that we have created; the other is to entice users away from the proprietary software by showing them what wonderful free programs were available.

    Eventually, I came round to agreeing with RMS [freeworldlicence.org] on this. I guess the key points that convinced me were:

    • You are restricting trapped users of non-free platforms in rather unpleasant ways
    • More importantly, you are encouraging an incompatible world. This is not only an unpleasant situation, but it may be strategically very unwise for the free software movement...
    I guess that having said those things, there could be some arguments for using this sort of license for "convenience" code, rather than "essential" code. If your application has no potential to be a source of incompatibility, then it could be acceptable to make it only avaialable to users of Free platforms.
  • by mindstrm ( 20013 ) on Saturday August 26, 2000 @08:57AM (#825881)
    I'm curious.. I have simple scripts that, in conjunction with md5sum, do what these doo.

    Summaries are generated using shell scripts, the results collected from all over the network and stored on a secure machine for later testing.

    HOw is this even a 'product'?
  • FWL makes no sense. People charge for CD's. Therefore it can't be free can it? Some distribution methods are free? Others are not? Apple's Darwin is free. RedHat sells distributions of Linux with add ons that you cannot download. You have to purchase that distribution. So does it not qualify?
    Cheers,
    WFE
    ===========
  • Well freevaracity does sound promising and it is possible that one day it might rival tripwire.

    However, I think the tripwire of the future will be a better service overall, simply because it will be under GPL (to my knowledge). This new FreeVeracity licence, plain stinks. If I'm a lowly University stuck with Irix, I really don't want to spend tons of money to get x86 boxes or buy this product. Free software should be free software, no matter what platform you're running on. And this sort of license really doesn't consider binary emmulation either...

    Also my other beef is with this Network Intrusion Detection (IDS) brand that they are putting on it. To me it sounds like a bunch of hype. Sure it's a network service and it can talk to a central machine but that's a far cry from the standard IDS methods I know of. When I think of IDS, I think of known attacks that firewalls recognize or specific IDS machines in promiscous mode sniffing out the network. Sure it does help you quickly find out (like a standard IDS) whether you've been hacked or not, but it is a far cry from a standard IDS system.

    I'd also be weary of installing this software and running it right away right now, especially for those who are concerned about security. This product hasn't been reviewed by the general public, the source code hasn't been fully audited. No one (except the company itself) has praised this product. I'd be really weary.

  • There's only one free network IDS that I'm aware of that's full feature enough to claim the name, and that's Snort [snort.org]. Snort provides real time network traffic monitoring and classification, and just lately supports IP defragmentation and TCP stream reassembly, plus has many output and real-time alerting options including syslog, database (MySQL, Postgres, etc), and XML. Snort also runs on at least 21 platforms, including all the Linuces, *BSD, and Win32.

    Oh yeah, it's GPL'd too.

    FreeVeracity looks to be nothing more than a Tripwire clone that detects file changes on systems it's installed on. To use an analogy, it doesn't detect when your car has been stolen, but it goes off when the thieves try to repaint it.

    If you're interested in checking out Snort, head over to www.snort.org [snort.org] and have a look around.

  • So now, with this program, i can log onto port 1062 and see what's been changed... hmm... writting a program to listen to port 1062 and say everything's a-ok... not too hard, i guess that'll be the next thing to add to rootkits...

    ---
    I'm not ashamed. It's the computer age, nerds are in.
    They're still in, aren't they?
  • I remember Mr. Taco mentioning on Slashdot Radio how he frequently receives "submissions" that are basically advertisements trying to get through as stories. I guess it was only a matter of time until someone fell for it.
  • Breakins to big-name sites make news. FBI catching perpetrators of those breakins makes news. Congress notices the news. Congress increases FBI budget for chasing computer-crime perps. Hence, it's about money.

  • Because this is free as in speech?
  • Although a lot of people, including RMS and ESR, apparently are opposed to the Free World Licence, it has its place among the "free" licences:

    There's the "free without restrictions" type of licences, e.g. the BSD licence, which basically let you do what you want with the software, including distribution of binaries without providing source. You can integrate it into proprietary projects without opening up your changes. It's for idealists who want to give away their code without asking for others to contribute back their improvements.

    Then there's the "free with restrictions" kind of licences, e.g. the GNU GPL, which also let you do what you want with the software, but forbids distribution of binaries without source. You can't take it without giving back your changes. It's for pragmatists who want to give away their code while making sure it will remain free for all.

    And now there's the "free only on free systems" licence, the Free World Licence, which is only free in the free parts of the software world. It's not Open Source because it's discrimination against non-free platforms which violates the Open Source Guidelines. However, it's useful for those who want to provide free software for users of free operating systems, but not to proprietary systems.

    All three try to support Free Software in their own way. So which one is best? That's up to you, the creator of the software will choose whichever licence fits to their ideology best, and all are good at what they want to do! And in the Free Software World, there are more ways than one, as we all know...

    (Or at least should know - never mind the flamewars, they are just a little drawback, the bright side is Freedom of Choice.)
  • by rtscts ( 156396 )
    what's the point in a post-ownage detection system? once the cracker is in your box, your intrusion detection system is also sitting there waiting to be modified.

    against good crackers, this system is worse than nothing as it will only give the admin a false sense of security. As far as I can tell, this would only be useful against the script kiddies and/or incomplete/interrupted jobs..
  • >The Open Group tried to do this with Motif. RMS >hated it. Read the linked-to /. stories for more >info.

    Who cares what RMS likes or dislikes?

    Mojo
  • But saying "If Linus called it GNU/Linux I might think otherwise" makes is sound as though you think it's the naming of the kernel (Linux) that's under discussion, which it isn't or that Linus is reponsible for the whole operating system, which he isn't. It gives the impression that you have no clue as to what what is being dicussed.

    Linus created the kernel, this is true. I refer to Linux as the collective kernel and the distribution it's in.

    If you want to badger the GNU organization about releasing GNU/Linux, that wouldn't bother me a bit and you'd have a valid point for calling it GNU/Linux. To date, however, GNU has not done this. Slackware has, Redhat has, Debian has, Suse has... you get the point. If I were to wrap the kernel around the Borland compiler and MKS utilities, what would you call it?

    This whole GNU/Linux thing makes (oh balls, who is it? RMS? ESR? I can never remember) look like they're trying to grab hold to the fame of Linux after it got popular by tacking on the GNU and acting like a slobbering idiot everytime someone "forgets" to say GNU/Linux. My memory's not perfect, but I don't seem to recall what's-his-nuts emphatically defending the GNU/ in GNU/Linux until a few years ago, and that's what ticks me off. They were helping Linus out way before that.

    Hopefully this is making some sense, I'm trying to type and watch my daughter at the same time, and not doing a very good job of either this early in the morning. :-)

  • Why is it that whenever [big internet site] is cracked, many 3 letter agancies "go after" the crackers with a great zeal and spend millions to try them, and sieze their hardware, and bar them forever from a career in computers....

    Because they employ lots of people, have millions of credit card numbers, and take in more money in a day than you will in a year?

    Yet when my box is cracked and my credit card numbers stolen, etc., calling anyone (police, FBI, etc.) gets a "why are you bothering us? You're lucky we don't prosecute *you* for wasting our time with such trivialities." attitude?

    Because you are not wealthy, a big name, or important?

    Is cracking illegal or isn't it?

    Yes. And the great thing is that constitutional laws don't apply to cracking cases! Just ask Kevin Mitnick.

    Who do I report it to when I'm hit?

    A trained consultant, perhaps?

    What gov't/state/municipal entity defends me as defends amazon or CNN?

    None of them. That's where the private sector comes in. If you can't secure your Corel Linux box, it's not really the government's problem, now is it?

    -- Floyd
  • Freeveracity does not appear to be Open Source. I'm not sure I would be completely happy with loading onto my machines an application that I can't see the workings of, that opens yet another port for communication purposes. Even if it is an unprivileged port. I can just see this being a nice target for crackers....
  • That might be true if you're the target of a new attack. But when the 6.02e23rd victim of the LOVEBUG emails them... they just don't care anymore.

    Security groups are looking for new attacks and how to stop them so they can expand their protection arsenal. They have no interest in stopping cracking because... that would put them out of a job!


    Doesn't sound like you have any idea what we do, or have ever looked at the incidents list. We don't look for "ways to stop attacks" per se. We have no product. Take a look at the incidents list and see what kinds of posts people make. The archive is on our web site. Often times some ISP that has been ignoring complaints will finally do something when 10 other people chime in that they've seen the same activities from the same network.


    The incidents list is a community-based mailing list for concerned net users to discuss incidents that are happening in the wild. The majority of the time, it's other list readers that are able to identify what attack has taken place, or suggest a remedy of some sort. There have been any number of attempts to corolate incidents in the past, and they've all met with pretty limited success. The incidents list seems to be working. None of the other efforts would have ever touched such small scale incidents that the incidents list does.


    The only thing that the list (hopefully) buys us is more people who enjoy our site.

  • If it's new, how come the version number is 3.0? Anyway, remember that security works best in layers, use TCP wrappers, a good firewall and possible even a Tripwire/Veracity like intrusion detection tools and you're relatively safe ( and remember to keep up with your distributions errata!).
  • by jpick ( 3522 ) on Saturday August 26, 2000 @05:33AM (#825897) Homepage
    If it's free only for free OS's, then it's non-free if you go by the Debian Free Software Guidelines [debian.org] (as I do).
  • I don't want to get into a blame-the-victim scenario, here, but I do worry about this sort of thing. We're transitioning from a frontier mode (where the law DOES get snooty if you try to complain about rustlers) to a homesteader mode where the future of law enforcement will begin to take form.

    Because of this, we need to think about HOW we ask for help. Do you really want an FBI consumer-equipment intrusion team, or should that be something handled by your local law enforcement agencies? Personally, I'd be a lot happier with an international network of local law enforcement teams that deal with intrusions of this sort. Individually, they may not have the resources, but if all they need is 1-2 staff per precinct/district/whatever and a computer connected to the Internet with "Fuzz 2.0" installed, we could keep power in the hands that local-scale elections can at least control by proxy (e.g. the Mayor of your city has some control over the police). In this way, individual citizens have a significant say in how Internet policies and laws are implimented in their corner of the world.

    Thoughts?
  • by Anonymous Coward
    it is opensource, but not compliant with the opensource guidelines :) specifically rule number 5 : No Discrimination Against Persons or Groups. (they are discriminating persons or groups: commercial software vendors). in case you are looking for the source : http://freeveracity.org/source.shtml . it's written in funnelweb (a GNU programming/documenting tool). there's also a link to funnelweb on the source page.
  • You are restricting trapped users of non-free platforms in rather unpleasant ways

    you are focusing (I think, you don't say) on the desire of these users to see source code. The license is trying to solve a different problem, how to make money. Yes, there are many users who are trapped, but many users have a choice about their platform, and the choosers are much more apt to be programmers with a need for source than are the trapped. The trapped can purchase the same product, the choosers can choose the source if they want.

    More importantly, you are encouraging an incompatible world. This is not only an unpleasant situation, but it may be strategically very unwise for the free software movement..

    you may feel that the use of this license may risk an incompatible world, but it explicitly doesn't encourage it. The license encourages selling stuff to people who've chosen a proprietary platform, and sharing stuff with people who've chosen to share. Same stuff, total compatibility.

    I'm not coming down in favor of this license, but I don't think you are fairly portraying what this license intends.

  • I use Aide (http://www.cs.tut.fi/~rammer/aide.html,) and it does the trick. It isn't all "gee whiz" but it is VERY configureable. (for instance use any or all of about a half a dozen checksums.)

    It is GPL, so you can run it on commerical boxes for free, too ;-)

    So if you want to security policy to include "it should be an interesting [licensing] experiment" use this thing.

    I'll stick to Aide, thanks.

    -Peter

  • GNU/BSD/X11/MPL/Artistic/Linux? BIND, Apache, Sendmail .... are all, I believe BSD'd. These are some of the top reasons people actually use Linux...err, sorry. GNU/BSD/X11/MPL/Artistic/Linux. I'm not denying the contribution of the GNU utilities/FSF to Linux at all. And I'm not even saying that you should call it "Linux". But neither should it be referred to as "GNU" or "GNU/Linux". In fact, you might as well call the distribution of Linux, the entire OS, by the name which the distribution was created. Ie, you could call Mandrake 7.1....Mandrake 7.1 and Debian 2.2, Debian 2.2...and....Slackware 7...Slackware 7. No need to mention "Linux kernel" or "GNU utilities" or "BSD-licensed servers" or "MPL programs" or "Artistic programs".

    No need.

  • 'm sure Norton/Symantec put pressure on Microsoft to not make windows too secure.

    Norton/Symantec putting pressure on Microsoft??? What possible pressure could they exert that MSFT would care about? They wouldn't even make a good-sized stain on the sole of the boot with which MSFT crushed them.
  • The Open Group tried [slashdot.org] to do this with Motif. RMS hated [slashdot.org] it. Read the linked-to /. stories for more info.
    <O
    ( \
    XGNOME vs. KDE: the game! [8m.com]
  • >You are restricting trapped users of non-free platforms in rather unpleasant ways

    you are focusing (I think, you don't say) on the desire of these users to see source code. The license is trying to solve a different problem, how to make money. Yes, there are many users who are trapped, but many users have a choice about their platform, and the choosers are much more apt to be programmers with a need for source than are the trapped. The trapped can purchase the same product, the choosers can choose the source if they want.

    Actually, I think you misunderstood me a little there. I am (sometimes) a trapped user. If I sit down in a lab full of Windows boxes, or in an internet cafe, or I use a proprietary UNIX server somewhere, I would like to be able install and use free appliations. The Free World License is a double edged sword....

    you may feel that the use of this license may risk an incompatible world, but it explicitly doesn't encourage it. The license encourages selling stuff to people who've chosen a proprietary platform, and sharing stuff with people who've chosen to share. Same stuff, total compatibility.

    Obviously, there is some truth to this, and incompatibility is not always going to result from doing this sort of thing. There are however, times when it may; this is most likely to occur when a new area opens up, and different protocols are viying to become the "standard" for some kind of service. During this process, having Free code available on non-free platforms gives us more chance of setting an open standard. When we don't achieve this, we suffer as a result. For example, a hypothetical cross-platform free office suite available in the early 90s might have saved us from having to stress about M$ Office compatibility....

  • I know who it is.

    I'll give you a hint, it's not me.

  • Unfortunately, most law enforcement agencies cherry-pick crimes. Unless something of monetary value was lost (and usually constituting a felony), law enforcement will not do more than pay lip-service to finding the criminal. And not just re: computer crimes. Several years ago someone stole my car. Since it's blue-book value was less than 500.00, the cops basically said, "We don't have time," even though I knew who did it! It is unlikely that any local law enforcement offices will allocate HR for computer crimes, except for the highly-publicized "internet stalker/pedophile" variety.

    And frankly, I don't blame them. There really are bigger fish to fry.



    Steve O.
  • Macintosh Post-It Notes [uriah.com]: the practicality of a post-it note, with the power of a macintosh!

    sorry... that's the first thing that came into my mind with the subject of your post. =^)
    -legolas

    i've looked at love from both sides now. from win and lose, and still somehow...

  • Your best bet would be to head over to SecurityFocus and get on their ``Incidents'' mailing list. Give a thorough explanation of everything you know along with any recoverable (and relevant) logs. There's hundreds, if not thousands of security professionals on that list who would gladly help you out.

    That might be true if you're the target of a new attack. But when the 6.02e23rd victim of the LOVEBUG emails them... they just don't care anymore.

    Security groups are looking for new attacks and how to stop them so they can expand their protection arsenal. They have no interest in stopping cracking because... that would put them out of a job!

    I'm sure Norton/Symantec put pressure on Microsoft to not make windows too secure. Security holes are profitable to an entire industry. You can't just cut them loose. Sure, MS will make secure windows for big business (NT Server at kilodollars per pop) but consumer grade windows will always have bugs. It's by design.

  • That's not intrustion detection.
    It's change detection, yes. System integrity, yes... but not an IDS.

    Just like that rather neat linux kernel patch that locks off files and doesn't allow them to be changed isn't an intrusion detection system.. it's a change prevention system.
  • by Ledge Kindred ( 82988 ) on Saturday August 26, 2000 @06:02AM (#825923)
    Like for example, it would have been nice to see this "article" prefaced with the text:

    "This looks a whole heck of a lot like an Ad from Veracity, but the product still looks like it might be worthwhile to check out. Sorry for the blatant advertising in what's ostensibly an interesting technical story."

    -=-=-=-=-

Time to take stock. Go home with some office supplies.

Working...