Archive for the ‘Slashdot Rounddown’ Category
Dave G. | June 25th, 2007 | Filed Under: Slashdot Rounddown
The answer is best summed up in this article about the ATM Machine turning 40 years old. They quote John Shepherd-Barron, the inventor of the ATM:
Mr Shepherd-Barron came up with the idea when he realised that he could remember his six-figure army number. But he decided to check that with his wife, Caroline.
“Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,” he laughs.
If you had asked me how they had come up with the length requirements, I would have thought that somewhere, someone might have tried to run some basic statistics, figure out acceptable losses based on likelihood of a PIN number getting guessed. Then try and balance that user requirements.
Nope. That wasn’t (isn’t?) how decisions and standards are made. And even today, MOST PINs are four digits in length. Policies are well documented inside of the enterprise. One thing that usually doesn’t get well preserved is why those policy decisions were made.
The other choice quote from this article:
“Money costs money to transport. I am therefore predicting the demise of cash within three to five years.”
While I can appreciate anyone who tries to predict the future, we should remember there is a reason why we say most of them are insane. I can see a future without cash, but even if we all said right now that it is time to move away from cash, it would take more than five years to execute on that.
Finally, Mr Shepherd-Barron, is working on a new invention. One to scare salmon-stealing seals away from his salmon farm:
“I invented a device to scare them off by playing the sound of killer whales, but it’s ended up only attracting them more.”
It’s clearly an uphill battle to top the invention of the ATM.
6 Comments
Dave G. | April 10th, 2007 | Filed Under: Slashdot Rounddown
Over at India enews, there is an article where F-Secure apparently suggests that we would benefit from yet another domain name. This time instead of trying to have the adult entertainment business self-regulate, they are suggesting:
If ICANN introduced a .safe domain (or .sure or .bank), which could only be used by registered financial institutions, it would allow security providers to create better software to protect the public, according to F-Secure. It would be similar to other top level domain names such as .uk and .gov.
“While a .safe domain name won’t prevent phishing attacks, it will help banks and security providers to keep their customers safe,” said Patrik Runald, Senior Security Specialist at F-Secure. “Banks need to take on some of the responsibility for protecting their customers and using a secure domain name such as .safe will give customers the reassurance they need when banking online.”
There are a number of problems with this (besides the who-gets-to-call-themselves-a-registered-financial-institution, and the amount of effort and money that will be spent on this). It is that it won’t be that effective. This is a user education problem. And it won’t get solved by telling everyone, “just look for .safe”.
What .safe does solve is the problem of AV vendors having to figure out what is good and what is bad. This will basically:
- Cause banks to spend a ton of money in order to
- Decrease the costs of AV companies who have to invest crazy amounts of money in maintaining software that is will always be evaded in order to, maybe, possibly, kinda
- Reduce the risk of the customer
Even F-Secure says:
“While a .safe domain name won’t prevent phishing attacks, it will help banks and security providers to keep their customers safe,” said Patrik Runald, Senior Security Specialist at F-Secure. “Banks need to take on some of the responsibility for protecting their customers and using a secure domain name such as .safe will give customers the reassurance they need when banking online.”
I want to apologize for the lack of posting these days. We are all supremely busy. When we get more breathing room, you will see a continuation of Tom’s Blogus Magnum “The Case Against DNSSEC”, and a couple of other treats.
3 Comments
Thomas Ptacek | March 24th, 2007 | Filed Under: Industry Punditry, Slashdot Rounddown, Uncategorized
From the +4 comments. I may have skipped 4 of them.
Because patches don’t make operating system more secure, you idiot:
“Wait…I’m supposed to think that fewer patches makes for a
safer operating system?”
Because Microsoft can’t be trusted to patch anything, so nobody
knows how many vulnerabilities Windows has, retard: “Retarded. It
relies on the trust that OS vendors always patch all holes
they’re alerted to, AND announces every one they’ve patched or
been alerted to. Trust like that is the beginnings of security
problems in the first place.”
And, “Windows had the most trivial and easy to fix vulnerabilities
that they have fixed with a few number of patches, from
possible an unknown number of undiscovered vulnerabilities”. Jerk.
Also, “I could stop patching Windows forever and it will be the
bestest Operating System EV-ER! Like OMGWTFBBQ!” ROTFLMAO
LULZ!
Also everything in Windows runs in the kernel because I like,
totally read that somewhere, jackass: “Redhat particularly,
but also Mac, bundle more software. This means you have many
more lower priority vulnerabilities because you have more LOC
in userspace.”
Plus come on, Symantec is in Microsoft’s pocket, fool: “Symantec
(who makes all of their profit from selling security products
for Windows) says Windows is the way to go.”
And Microsoft is evil! “Further, Linux folks release a patch when
they see a problem, M$ releases a patch when forced to by
someone who’s published exploit code.”
Symantec shill! “This is a Symantec marketing campaign disguised as a
press release disguised as a research report.”
Also, Linux does more, and that has to count for something you
asshole. “Windows XP Pro’s standard install media doesn’t
include 2 RDBMS packages…”
You’re a criminal. “Bot herders has named Windows as the most
reliable operating system for hosting botnets and spam
machines.”
Patch time doesn’t mean anything, bitch: “Maybe OS X’s average patch time is
higher because the vulnerabilities they had were less
important to patch?”
You fail. The only way to measure security is to see if people
actually break in: “. It seems like a truer test would be to
set up a machine (or rather, a statisically significant bunch
of machines) and measure the average time to system
compromise.”
Computers are all insecure. That’s why I use Unix for security,
moron. “As always, the most secure computer is the one that
is turned off, and unplugged from the network. No security
model is perfect, but I’d take any *nix for a web facing
server any day.”
What about 1999?!?! “This only covers the last 6 months. Why only 6
months? Surely a more representative sample would be years. In
this case, MS doesn’t look so good. Didn’t BSD have it’s 2nd
bug in a decade recently?”
Doublespeak. “Windows is the most secure operating system. Windows
has ALWAYS been the most secure operating system.”
How could you not know that Symantec is a Microsoft puppet?
“Symantec has invested millions to get in bed with Microsoft
and gain insider information into the workings of the OS.”
Didn’t you see that Windows mbuf bug? “A lot of the security fixes
seen in OS X are related to applications, things like “a
maliciously crafted quicktime movie could lead to elevated
privleges”. This is a whole world different than “a buffer
overflow in the TCP stack allows remote code execution”.”
You can’t even install Windows securely, traitor: “My usual
response to that is to challenge the speaker to do a base
install of Windows and a base install of Linux or MacOS with
a machine plugged into the raw internet. Then measure how
many times each OS has been pwned before it’s done
installing.”
At least Linux boxes all auto-update for security patches:
“Microsoft didn’t allow me to download the SP2 images from
my Linux box either. They didn’t like my web browser.”
My hand-rolled Gentoo distribution doesn’t even run statd! “Not
every OS opens up all sorts of services by default, you
know. A decent Linux workstation will have sshd, if
anything.”
My cat smells like cat food! “If we assume that the vast majority
of people who find security holes do the right thing and
notify the vendor, then we can conclude that the vast
majority of security holes should not be exploited prior to
it being patched. From this, we can conclude from the
relatively high zero-day-flaws-to-patch-count ratio that the
vast majority of known Windows security holes probably remain
unpatched, thus making the above numbers dramatically
understated. Just a hunch.”
Linux would win if your mom would just install her fucking compiler:
“Oh dont forget Visual studio 2005 and all it’s plugins as
redhat out of the box has a full development kit installed.”
I blame America: “Well… I think you should talk to that norwegian
bank wich was down for a week (11,000 PC’s and 1,000+
servers) a couple weeks ago about how secure Windows
is… so no, not really “All quiet”.”
6 Comments
Dave G. | March 20th, 2007 | Filed Under: Slashdot Rounddown
Overcoming stereotypes of American laziness, Symantec’s research has shown that our malware authors are more productive than any other country! From Preston Gralla @ ComputerWorld:
The latest Internet Security Threat Report released by Symantec says that the highest percentage of malware originates in the U.S., with some 31% coming from U.S. networks. China is a distant second, with 10%, and Germany was third with 7%.
I am really interested in seeing how these stats will change over time
- Will we see other countries grow?
- Will we see Malware Outsourcing?
- What does this really say about America?
Finally, have they collected these stats before? Anything we can compare against?
5 Comments
Thomas Ptacek | March 2nd, 2007 | Filed Under: Slashdot Rounddown, Uncategorized
From Slashdot:
Justice delayed is justice denied. This is not a feather in the cap
for the justice system.
All too often, when the “little guy” wins, he’s also bankrupt. Anyone
know what the bill was for all this legal action?
The bottom line is that corporate management doesn’t give a shit about
the actual security of their system. They only care about the illusion
of security, and they’ll bring their full wrath against anyone who
dares shatter that illusion.
13 years of fighting doesn’t sound especially pleasant. I can’t
imagine what Randall had to go through to get his name cleared.
Yep, it finally happened: greybeard Unix security folk hero Randal
Schwartz had his Oregon criminal record expunged, after his calamitous
1993 run-in with security teams at Intel. Schwartz has long been the
poster child for over-broad “computer crime” laws; he was convicted of
3 felony counts and fined over $60,000 simply for cracking a password
file. No malicious intent on his part was ever demonstrated.
Of course Schwartz has my sympathy. Computer crime laws across the
country are a farce, and the ones that convicted Schwartz in Oregon
are no exception.
But Schwartz is no hero. Apparently months after his contract with the
Supercomputer Division at Intel had expired, he used a backdoor he
installed on one of their servers to grab an unshadowed Intel password
file, which he then copied to a server in the new group he was
contracting for and cracked. He got caught. It was then discovered that
he’d also been cracking passwords from O’Reilly and Associates (and
allegedly two other companies) as well as tunneling into Intel from
outside their network.
These are, at a minimum, “firing-with-cause” offenses in modern
enterprises. But Schwartz’ frenzied cult of supporters (motivated by
his beloved contributions to the Perl community) aren’t content merely
to point out that his actions probably weren’t criminal; they want to
make a “whistleblower” out of him. Paraphrasing from one his
best-known amicus articles:
No evidence existed that Intel disapproved of Randal’s behavior
An Intel Security person sat at table next to the prosecutor
during the trial
Three Intel employees helped search Randal’s house, and one helped
police interrogate Randal.
Intel’s presence influenced and biased a police statement where
Randal “confessed” to “hacking” everyone he contracted for, even
though “every one of those companies” testified on his behalf.
The police couldn’t possibly have been smart enough to have
taken a reliable oral account from someone as technical as
Schwartz.
Intel had authorized Schwartz to backdoor their computers (which
he did to make it easier to read his mail) and crack passwords.
Schwartz didn’t hide his activities.
But the record on this case is nowhere near this simple:
According to Mark Morrissey, the admin who caught Schwartz
cracking passwords, Schwartz had been reprimanded by the
Supercomputer Division for a security breach after losing
his contract there.
According to the prosecution, Schwartz is on the record repeatedly
acknowledging that he knew his actions violated Intel
policy.
Schwartz acknowledged during the trial that he had been accessing
machines where his own account had been disabled.
According to the prosecution, Schwartz didn’t tell some of
people who had weak passwords, and allegedly even admitted that
he was stockpiling them to retain access to servers.
Regardless of whether Schwartz’ friends and former employers
cared about his security habits, Intel clearly did. They almost
certainly didn’t profit from Schwartz’ prosecution.
And, of course, there’s the obvious fact that Schwartz
was cracking passwords for a business unit he apparently hadn’t
worked for in months.
The prosecution in this case loses me, like they lose every one of
you, when they start talking about the “theft” of Intel’s password
files. But they have me completely when they compare Schwartz’s
actions to those of a contractor working on your garage who uses the
keys you give him to rifle through your bedroom drawers. And they
allude to Schwartz’ arrogance, as he seemingly asserts that violating
policy was fine as long as he himself knew his actions were benign.
This resonates with me and saps my sympathy for his predicament.
Remember also that an expungement is not an overturned
conviction. Records can be expunged for “good behavior” in many
states, and Oregon is apparently one of them; the order to expunge
says “That the circumstances and behavior of the defendant since the
date of conviction on January 16, 1996 are found to warrant setting
aside that conviction and records of arrest.” No doubt they’re
right. Schwartz’ status as a Perl hero is unquestionable. But his
standing as a security icon is ridiculous.
3 Comments
Dave G. | February 26th, 2007 | Filed Under: Slashdot Rounddown
Eric Allman wrote an article for the ACM Queue. For those of you that don’t know who Eric is, he is primary author of sendmail, so this is a topic he is well-versed in. He talks about the different approaches, which is pretty complete (from not fixing to announcing without patch), although he doesn’t give very good guidance about which ones to use.
The strongest criticism I have is in the timing section of the article. A choice quote on severity is:
A bug that gives an external user full control of a machine is more critical than one that allows the external user to break into the account of another user who opened an attachment (which that user shouldn’t have opened in the first place).
Another question that he brings up that affects how quickly someone should release a patch for is whether it was found internally or externally. Most (if not all) vendors will use this as the primary factor on whether or not to patch immediately or wait till the next release. It’s a simple gamble. It costs money to patch out of cycle, and most vendors are willing to bet their customer’s security that no one else will find the bug. Every major vendor is constantly rolling the dice on this. I would love to find statistics on patch times for internally discovered security issues (I assure you, you would be horrified).
One part of the article that I was a little surprised about was that he was pretty reasonable on how to work with security researchers. I certainly didn’t hear him call them vulnerability pimps or buckets of warm spit. In fact:
If the group is legitimate (i.e., one that isn’t trying to blackmail you), then you can usually negotiate, but only up to a point. Remember, even if you disagree with them, most of those groups are on the right side. Treat them with respect.
4 Comments
Dave G. | February 22nd, 2007 | Filed Under: Slashdot Rounddown
From the OC Register:
Police caught onto Kline after a Canadian computer whiz hacked into the judge’s Irvine home computer and discovered sexually explicit images of young boys and a diary that revealed Kline’s fantasies involving young boys. A subsequent search of his court computer revealed more images and more Web sites.
While this guy was clearly guilty and deserves to be arrested, I think it’s pretty crazy that the authorities will listen to someone who claims to have broken into someone’s computer, and gives them evidence. How can the possibly validate that this evidence is real? The computer is already known to be compromised by someone who is breaking the law.
BTW, this is what the computer whiz kid actually did:
“I was just playing around with this program I wrote. I wanted to see how it worked. Then I got way more curious about what these people were doing. It’s exciting to see something you build actually work. It means I have actually helped out. It challenges me and makes me work,” said Mr. Willman, now 21.
The program, disguised as an image, allowed him to retrieve anything — undetected — once downloaded. He posted the image on several usenet groups used by pedophiles. In reality, the downloaded image was simply one retrieved from the user’s own hard drive.
Some 3,000 users around the world downloaded the Trojan Horse program— giving him full control of targeted computers.
3 Comments
Dave G. | December 19th, 2006 | Filed Under: Slashdot Rounddown
I was reading this post about rootkit detection on Linux. They go on to talk about chkrootkit (an NMAP top 100 tool!) and rootkithunter. After doing a couple minutes of research, I was pretty sad. As far as I can tell the majority of the techniques are limited to signature style detection. The more ‘hardcore’ tests:
Every operating system has is advantages and disadvantages like the differences between tools en disk structure. Some parts of an operating system are not available to others, so we can use not all tests every time.
Linux
- compare processes in ps against the available files in /proc
FreeBSD
- look for differences between the output of netstat and sockstat
It seems like we haven’t progressed much since 1996 on rootkit detection. Or maybe this is just an open source issue. Or maybe I didn’t dig deep enough. Because in 1996 i seem to remember people at least doing:
- connect()/bind() to every port and compare that to the output of netstat.
- kill() every process with an innocous signal and look for pids that exist but dont appear in the output of ps.
I know there were others, what else am I missing? Yes, I know these techniques aren’t particularly effective against more modern rootkits. Yes, I know, this is a game of constant catch up. But we are further behind than I thought. This isn’t meant to be a dig on the authors or the tools. I am genuinely asking if there are smarter things we can be doing.
In other news, we are really busy, and the holidays are fast approaching, so our apologies for the lack of posting lately.
21 Comments
Dave G. | November 7th, 2006 | Filed Under: Industry Punditry, Slashdot Rounddown
This just in off of NewsForge:
Whats the goal?
The final goal is a real and complete methodology for hacker profiling, released under GNU/FDL. This means that, at the end of our research project, if a company will send us its (as detailed as possible) logs related to an intrusion, we — exactly like in the TV show C.S.I. when evidence is found on the crime scene — will be able to provide a profile of the attacker. By “profile” we mean, for example, his technical skills, his probable geographic location, an analysis of his modus operandi, and of a lot of other, small and big, traces left on the crime scene.
Interesting. Tell me more… how do you perform profiling?
The data useful for outlining attackers’ profiles will be collected through different threefold project stages, partly overlapped: an analysis of the existing literature on the topic, the distribution of a questionnaire, and honeynets.
This is looking less promising. It sounds like someone is going to read back issues of Phrack, and send out questionnaires to hackers and ask them to fill out a form. How are they going to do that?
The complete version of the questionnaire will be distributed exclusively to the persons who we are sure belong to the hacker underground. This group will act as a control group toward those who have filled out the compact version. In order to avoid false answers, we will also compare the data from the questionnaires with the ones obtained through a honeynet of new generation, with the aim to verify if the single hacker typologies identified through the questionnaires have the technical features, modus operandi, skills, targets, and motivations proper to the category.
How would they know they are actually talking to people in ‘the underground’? How would they know the answers are honest? What kind of person who is putting their freedom at risk would confirm that they are commiting crimes and want to help someone get better at catching them?
Generally speaking, it comes out that hackers are usually brilliant, inventive, and determined. They generally feel anger and rebellion towards authorities and narrowmindedness, seen as a menace for civil liberties. Hacking is conceived as a technique and a way of life with curiosity and to put themselves through the hoops, or as a power tool useful for raising awareness among the general public about political and social issues. Normally, they are driven by the love for knowledge.
Of course! The brilliant kind. Thats not a profile, thats a stereotype.
But what about the professional types?
Nevertheless, there are also hackers who have profit purposes and, therefore, practice phishing/pharming, carding, or industrial espionage. Their preferred targets are military and governmental systems, as well as information systems of corporations, telecommunication societies, schools, and universities, but also end users and SOHO.
So the ones doing it for money have narrowed down their target selection to:
- public sector
- private sector
- enterprises
- small businesses
- education
- end users
every NPO just breathed a sigh of relief.
But what about skillsets?
The bulk of hackers (with low technical skills) are discouraged from systems difficult to violate: they prefer “easy” OSes such as Linux or Windows. By contrast, high-level hackers are stimulated only by systems considered “invulnerable” (*BSD, Solaris, HP/UX, VMS, IOS, Symbian) and by protocols.
Someone considers Solaris, HP/UX and NetBSD “invulnerable”?
sigh… the questionnaire is available online.
ps: Am I wrong about this? Because this seems absurd.
18 Comments
Dave G. | October 17th, 2006 | Filed Under: Slashdot Rounddown
Rapid7 found a heap overflow in an Xwindows NVIDIA graphics driver. It can be exploited either remotely (via a malicious web page) or locally as a privilege escalation attack. The slashdot posting on the subject says:
KernelTrap is reporting that the security research firm Rapid7 has published a working root exploit for a buffer overflow in NVIDIA’s binary blob graphics driver for Linux. The NVIDIA drivers for FreeBSD and Solaris are also likely vulnerable. This will no doubt fuel the debate about whether binary blob drivers should be allowed in Linux.”
Just to be clear, this is the userland portion of the driver for Xwindows. And while the binary blob thing continues to be a hot debate in the open source community, this isn’t the only “binary blob” you are going to find on a functional Linux desktop. For example, Adobe Flash (which at some point became almost necessary for everyday web browsing) does not have a credible open source counterpart. I feel like this NVIDIA situation is more like Xpdf vs. Adobe Acrobat.
Don’t get me wrong, I would prefer it if vendors would open source these things. It’s easier to review from a security perspective. When a flaw is found, you dont have to wait two years for it to get resolved!
1 Comment
