Archive for the ‘security’ Category

My Global Blog: Views on Vista

March 27, 2009

I started another blog a few weeks ago beyond the scope of this one. Originally, I was going to use it for content centered on the Aspire One but decided to make it a more general topics blog — a global blog. Mostly I’ve written about issues related to politics, the economy, and finance. When I’ve had time.

Today I’ve written about my latest experiences with Vista and my opinions of it now that I’ve had a little more time with it. I was never on the hate-Vista bandwagon. That’s because I didn’t have enough time with it to make a reasonable and rational decision.

Let me also reiterate: I’m fairly agnostic about operating systems even though I favor Unix-like systems (discounting OSX, which is an abysmal piece of beast excrement). I don’t think there’s a single solution for everyone and for every need. I also believe very strongly in freedom of choice. That choice includes — not excludes — Microsoft Windows. That’s why I don’t dismiss it out of hand. Many people use it, many people like it. More power to them. More power to those who prefer Unix-like systems.

I’m not a Microsoft fan, but I’m also not a Microsoft hater. They do a lot of things right and they occasionally get something wrong. I think their detractors get a lot more wrong than Microsoft does. That includes groups like FSF who spew lies (and offer an “alternative” operating system such as GNU HURD that after 25 years of development doesn’t and probably won’t in another 25 years suit most users’ needs) as well as nations who’ve sued a company for daring to succeed at the level they have (Linux distros are even more guilty of bundling software than Microsoft is but the EU won’t sue Ubuntu for including a browser or media player or office software in any given release).

I think Microsoft gets a lot of things right with Vista and — from the sound of things since I haven’t tried the betas yet — Windows 7. Whether and how soon they can recover from distorted public perceptions remains to be seen. I’m increasingly impressed with what Microsoft is doing and am seriously considering Windows 7 for my Aspire One. Enough so that I’m willing to reallocate the space taken up by PCLOS to try the new Windows 7 release candidate when it’s available.

CanSecWest 2009 Pwn2Own and Misc Security Thoughts

March 20, 2009

This year’s pwn2own at CanSecWest hasn’t been targeted at operating systems but at browsers and mobile platforms. This has drawn some heat because it didn’t include Opera, which is increasingly popular on mobile devices. Rather, it was only IE, Firefox, and Safari on Windows and OSX as well as phones.

While I approve of targeting specific applications, especially given the role browsers now play in most users’ lives, there are significant enough differences between operating systems and how they’re used by most users that I wish contests like these would continue to include OS-specific targets.

Let me also say that to a certain degree, the change in this year’s format does better illustrate the bigger problem of software security which isn’t at the OS level but in the wider area of applications. As software is increasingly cross-platform, the problems are often not limited to one platform: a vulnerability in Firefox may or may not affect more than Windows, but it’s more likely than not going to affect Windows users for two reasons: Windows is the biggest target by nature of its widespread adoption and Windows has a more standardized set of libraries than other operating systems. Everyone wants to dish out on Microsoft (and I want to dish out on Apple, whose software I believe is tremendously less secure than Windows) but the magnitude of “problems” with it is due to the issue of critical mass — more people use Windows so it’s always going to be a bigger target for crackers.

Security  through obscurity isn’t security, it’s just obscurity. This is one reason why Linux wasn’t a target at pwn2own this year. It’s not that Linux is invulnerable to cracking or to malware like rootkits, it’s that hardly anyone in the aggregate uses it on desktops. Not security, obscurity.

If you want more security that way, use an even more obscure OS. Something nobody else is using, like BeOS or Haiku.

Change the topic from desktop to server and then look at the market share Linux has in that category and it’s a different story: where Windows desktop machines are great for botnets, they’re often herded from cracked Linux servers. Where Linux has less obscurity, it’s bigger target.

The number of compromised Linux servers — which  can only be estimated from the number of botnets shut down or observed to be operating (another part of security through obscurity that is dangerous is the feeling of invulnerability and the lack of tools to detect system compromise) — attests to the real problem with security: it’s not OS-specific, but rather a problem of buggy software and poor implementations and procedures. Just as it’s bad practice to use unpatched software on a Windows desktop, it’s bad practice to use unpatched software on a Linux server. And vice versa — buggy Linux desktops are just as bad as buggy Windows servers. Just as it’s poor procedure to run everything as administrator in Windows, it’s equally poor procedure to implement shoddy permissions in Linux (and some Linux CD-based distros run only as root). The problem really isn’t the OS, per se, but what’s being run on it and how it’s being run. The problem is really the user, the weakest link in the chain of security.

Desktop Linux users also tend to fit a less than lucrative target profile. While many people do choose Linux and BSDs for more than the free-as-in-beer reason, Linux users tend to fall in a very small demographic and it’s not a financially lucrative one. Whom would you target if you wanted money, someone who can afford to purchase a license or someone who brags about how Linux can run on cheaper, older hardware and doesn’t cost more than the cost of the installation media? People who try to rob cheapskates usually starve. In comparison, Bernie Madoff’s client list wasn’t filled with kids living in Mom’s basement but with celebrities and high society types and groups with considerable assets. Willie Sutton famously said he robbed banks because that’s where the money is; cybercrime targets Windows users because that’s where the money is — both in the aggregate (over 90% of desktops) and in the user demographics (above median income).

One more thing about this at it relates specifically to Linux. Tipping Point gives away computers and a few thousand dollars. These exploits have significant market value, more than a few thousand and an inexpensive laptop. There may be some prestige among colleagues in the security field for being able to crack something. But it pales to what others are willing to pay for exploits on the open market, whether from government agencies or from criminals. It’s folly — a non sequitur — to suggest that the lack of Linux-specific or even -targeted exploits at events like this indicate there are none or even few.

Back to pwn2own news… 

Day One was exciting with four zero day exploits against the targets. The first victim, and as usual the easiest and fastest one, was OSX via Safari. Charlie Miller won the MacBook for the second consecutive year. Then IE8 fell to “Nils,” whose three exploits netted him a Vaio (for being first to crack IE8 this year) and $15k (at a rate of $5k per demonstrated zero day exploit).

Day Two, with relaxed rules, proved less eventful. At last report, there were no more zero days demonstrated and few, if any, attempts to pwn phones.

CanSecWest closes today.

Red Hat, Fedora Hacked

August 22, 2008

This Secunia notice answers some of the questions raised last weekend about why Fedora issued a warning for users to not update their systems until further notice. The source for Secunia is Red Hat, not a third party this time. It reads:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.

In connection with the incident, the intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64 architecture only)…

More updates sure to follow. Does anyone else remember the quick dismissals about the small study that said this was possible? This appears to be limited but how many mirrors are ever checked and how frequently?

Linus Equates Security Issues with Other Bugs

July 17, 2008

I saw a link in my feeds list this morning about Linus Torvalds’ “opinion on BSD.” The link went to a small article that concentrated on one small quote from a posting in which Linus dismissed the focus on security at the expense of other bugs.

Security people are often the black-and-white kind of people that I can’t stand. I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.

Certainly interesting and colorful fodder for discussion on many levels. It’s lost, though, in the context of an important discussion about security.

It comes in a discussion about transparency of the way Linux developers handle security issues. The person to whom Linus was replying is a security specialist who releases the grsecurity patches and PaX, which is a kernel-level security implementation that restricts address space read-write access. In recent months, grsecurity has taken the position that Linux developers “hide” too much when releasing security updates; the concerns about issues in kernel 2.6 have led grsecurity to advise against using 2.6 if possible:

Due to Linux kernel developers continuing to silently fix exploitable bugs (in particular, trivially exploitable NULL ptr dereference bugs continue to be fixed without any mention of their security implications) we continue to suggest that the 2.6 kernels be avoided if possible.

It is not clear if the PaX Team will be able to continue supporting future versions of the 2.6 kernels, given their rapid rate of release and the incredible amount of work that goes into porting such a low-level enhancement to the kernel (especially now in view of the reworking of the i386/x86-64 trees). It may be necessary that grsecurity instead track the Ubuntu LTS kernel so that users can have a stable kernel with up-to-date security fixes. I will update this page when a final decision has been reached.

I think what’s more interesting — and disturbing — in the whole discussion isn’t Linus’ likening OpenBSD developers to “masturbating monkeys” but rather his view that all bugs are equal.

They aren’t.

While it may be a hassle to have quirky or erratic behavior because of a particular poorly-written module, it pales in comparison to vulnerabilities allowing remote or local system compromise. Speaking of comparisons, here’s the same historical data as in the two previous links for OpenBSD 3.x, OpenBSD 4.0, OpenBSD 4.1, and OpenBSD 4.2 — not exactly apples-to-apples since BSDs are a bit more than a kernel.

This isn’t immediately about protecting the kind of twats who play with desktop root-only distros like Puppy (separate issue aggravated by sloppy permissions abuse and the ridiculous belief that they’re invincible because they’re not using Windows) because such isn’t the most lucrative market for Linux. It could have grave consequences for enterprise users, including government agencies, with sensitive information to protect. You may not care if someone on your network can cause a DoS or if pictures of your kittens are pilfered, but you should care if your Social Security number or health information is easily accessible to those who shouldn’t be able to access it. It can very adversely affect your privacy and your future. And you should care if you run servers and they’ve been herded for criminal activities (such as to manage a “kennel” of a botnet of Puppy machines).

I accept and appreciate Linus’ point that all bugs are serious and that everyone who fixes a bug is deserving of praise. I disagree, though, that having eyes focused on security is a hindrance to getting “smaller” issues resolved. That certainly hasn’t been the experience in OpenBSD, whose developers have on more than one occasion been months ahead of the curve on all manner of bugs plaguing other operating systems (including Linux). OpenBSD’s strict coding practices are set in place specifically to make auditing code for all bugs easier.

Security is generally only as strong as the weakest link: the user. You can have a tight operating system like OpenBSD and open it all up so that it’s insecure. Or you can take an “insecure” OS and tighten it up so that it’s very safe. That’s why I roll my eyes when I read some gullible fool prating about being more secure with Linux than Windows, whether it’s a Puppy user (root only and usually running very vulnerable software) or the guy who boasted about running DSL in QEMU in Windows at Internet cafes or someone who doesn’t realize his fresh install of ___ (whatever distro) has several processes running that expose him to the world. That’s all what users do with what they’re given. Users can be responsible or irresponsible with it.

Developers can make it easier or more difficult to keep systems secure. It’s disconcerting that Linus would be so dismissive of the attention security gets. In that same thread, the person to whom he made the “masturbating monkeys” comment pointed out that other Linux developers have leveled the same complaints about the nature of security issues and the lack of disclosure in addressing them. He linked to one of Willy Tarreau’s (Tarreau is now the 2.4 maintainer) comments on LKML:

I don’t like obfuscation at all WRT security issues, it does far more
harm than good because it reduces the probability to get them picked
and fixed by users, maintainers, distro packagers, etc…

What’s really worse, being likened to “masturbating monkeys” or being called an obfuscator when it comes to the way security issues are handled? And what of all the Linux advocacy that mentions open source being inherently more secure because it’s “open”?

Maybe that’s not really a selling point after all.

(Edited to include Secunia links for comparison purposes.)