Linux-Advocacy Digest #179, Volume #26 Tue, 18 Apr 00 06:13:07 EDT
Contents:
Re: simply being open source is no guarantee of security. (Truckasaurus)
Re: Backdoors in Windows 2000 or server software? (Karel Jansens)
Re: Become a Windows Registry Expert! (Karel Jansens)
Re: Become a Windows Registry Expert! (Karel Jansens)
Re: BSD & Linux (david parsons)
Re: Detonators 5.14 UP!!!!!!!! ("TiMOiD")
Re: Backdoors in Windows 2000 or server software? (Rob S. Wolfram)
Re: Why Linux on the desktop? (Christopher Browne)
----------------------------------------------------------------------------
From: Truckasaurus <[EMAIL PROTECTED]>
Crossposted-To: comp.os.ms-windows.nt.advocacy
Subject: Re: simply being open source is no guarantee of security.
Date: Tue, 18 Apr 2000 08:41:21 GMT
In article <[EMAIL PROTECTED]>,
"Drestin Black" <[EMAIL PROTECTED]> wrote:
> From: http://www.securityfocus.com/commentary/19
> Wide Open Source
> Is Open Source really more secure than closed? Elias Levy says
there's a
> little security in obscurity.
> By Elias Levy April 16, 2000 11:59 PM PST
(...)
> Sure, the source code is available. But is anyone reading it?
No, all the fixes and patches (pick one):
1) just popped up from the ground
2) were delivered by the UFO's
3) are nonexistent; the improvements of open source are happening by
themselves, since artificial intelligence is built into every open
source program.
> If Open Source were the panacea some think it is, then every security
hole
> described, fixed and announced to the public would come from people
> analyzing the source code for security vulnerabilities, such as the
folks at
> OpenBSD, the Linux Auditing Project, or the developers or users of the
> application.
> There have been plenty of security vulnerabilities in Open Source
Software
> that were discovered, not by peer review, but by black hats.
And, as we have seen, no black hats _ever_ get employed by closed source
companies like Microsoft:
http://www.computerworld.com/home/print.nsf/all/000414D5E2
> But there have been plenty of security vulnerabilities in Open Source
> Software that were discovered, not by peer review, but by black hats.
Some
> security holes aren't discovered by the good guys until an attacker's
tools
> are found on a compromised site, network traffic captured during an
> intrusion turns up signs of the exploit, or knowledge of the bug
finally
> bubbles up from the underground.
And when this happens, the Open Source community is fixing the problem
much faster than a company like MS would be able to:
http://securityportal.com/direct.cgi?/cover/coverstory20000117.html:
"Red Hat did a better job of handling the "full disclosure" bug
releases, usually solving these problems in under 2 weeks, with 67 days
being the extreme case. Microsoft usually took over 3 weeks to
patch "full disclosure" bug releases, with a worst case of 146 days."
> Why is this? When the security company Trusted Information Systems
(TIS)
> began making the source code of their Gauntlet firewall available to
their
> customers many years ago, they believed that their clients would
check for
> themselves how secure the product was. What they found instead was
that very
> few people outside of TIS ever sent in feedback, bug reports or
> vulnerabilities. Nobody, it seems, is reading the source.
"Making source code available to costumers" does not equal "Releasing
source code under an open source license".
> The fact is, most open source users run the software, but don't
personally
> read the code. They just assume that someone else will do the
auditing for
> them, and too often, it's the bad guys.
>
> Even if people are reviewing the code, that doesn't mean they're
qualified
> to do so.
And, even if I'm driving a car, it doesn't mean that I'm qualified to
repair it. But if I can open the hood, and find a dead cat, a birds
nest, and a lousy engine, the manufacturer of my car is less likely
to stuff my car with crap.
If I, on the other hand couldn't/weren't allowed to check under the
hood, the manufacturer would be more likely to use crappy parts in
order to save money.
And his workers could embed pieces of cardboard, saying "Drestin is a
wienee", if they were black hats, and I'd have to rely on someone else
doing the extra effort of disassembling and investigating.
> In the scientific world, peer review works because the people doing
the
> reviewing possess a comparable, or higher, technical caliber and
level of
> authority on the subject matter than the author.
I've never read anywere in open source code that:
"Please make sure you are dumber than the writer of this code, if you
want to do any reviewing".
What is the point?
> It is generally true that the more people reviewing a piece of code,
the
> less likely it is the code will have a security flaw. But a single
> well-trained reviewer who understands security and what the code is
trying
> to accomplish will be more effective than a hundred people who just
recently
> learned how to program.
But having 1 well-trained reviewer reviewing a piece of code does not
prevent 100 newbie programmers to do the same - and vice versa.
What is the point?
> It is easy to hide vulnerabilities in complex, little understood and
> undocumented source code.
Which is why reviewers will tell the coder:
"Write some readable code, or we will use another program!"
> Old versions of the Sendmail mail transport agent implemented a DEBUG
SMTP
> command that allowed the connecting user to specify a set of commands
> instead of an email address to receive the message. This was one of
the
> vulnerabilities exploited by the notorious Morris Internet worm.
>
> Sendmail is one of the oldest examples of open source software, yet
this
> vulnerability, and many others, lay unfixed a long time. For years
Sendmail
> was plagued by security problems, because this monolithic programs
was very
> large, complicated, and little understood but for a few.
This speaks against big monolithic design, not against open source.
> Vulnerabilities can be a lot more subtle than the Sendmail DEBUG
command.
> How many people really understand the ins and outs of a kernel based
NFS
> server? Are we sure its not leaking file handles in some instances?
Ssh
> 1.2.27 is over seventy-one thousand lines of code (client and
server). Are
> we sure a subtle flaw does not weakening its key strength to only 40-
bits?
Are we sure that there are no vulnerabilities in non-open source
programs?
> There is no strong guarantee that source code and binaries of an
application
> have any real relationship.
Which is why we are endowed with wonderful compilers like gcc/pgcc and
Makefiles, if the doubt is keeping us awake at night. With closed
source we'll just have to trust that the "Registration Wizard" is doing
it's job, the _whole_job_, and _nothing_but_ the job...
> All the benefits of source code peer review are irrelevant if you can
not be
> certain that a given binary application is the result of the reviewed
source
> code.
gcc/pgcc, Makefiles. Your "point" doesn't get better by simply repeating
it. You are wasting time and bandwidth.
> Ken Thompson made this very clear during his 1983 Turing Award
lecture to
> the ACM, in which he revealed a shocking, and subtle, software
subversion
> technique that's still illustrative seventeen years later.
>
> Thompson modified the UNIX C compiler to recognize when the login
program
> was being compiled, and to insert a back door in the resulting binary
code
> such that it would allow him to login as any user using a "magic"
password.
"Caution: Microsoft, Inc. asserts that this content is safe.
You should only install/view this content if you trust
Microsoft, Inc. to make that assertion."
You'll always have to trust someone, if you want to run a program.
> Anyone reviewing the compiler source code could have found the back
door,
> except that Thompson then modified the compiler so that whenever it
compiled
> itself, it would insert both the code that inserts the login back
door, as
> well as code that modifies the compiler. With this new binary he
removed the
> modifications he had made and recompiled again.
>
> He now had a trojaned compiler and clean source code. Anyone using his
> compiler to compile either the login program , or the compiler, would
> propagate his back doors.
And this differs from Windows vira exactly how?
> The reason his attack worked is because the compiler has a
bootstrapping
> problem. You need a compiler to compile the compiler. You must obtain
a
> binary copy of the compiler before you can use it to translate the
compiler
> source code into a binary. There was no guarantee that the binary
compiler
> you were using was really related to the source code of the same.
>
> Most applications do not have this bootstrapping problem. But how
many users
> of open source software compile all of their applications from source?
It's not necessary, if you trust your provider. But with Open source
you have the choice.
> A great number of open source users install precompiled software
> distributions such as those from RedHat or Debian from CD-ROMs or FTP
sites
> without thinking twice whether the binary applications have any real
> relationship to their source code.
Compile source code. Then you know.
Besides - there is _no_way_ of telling whether a Thompsonized compiler
has been slipped into MS development. Again, you'll have to trust
_someone_ if you ever want to run a program.
> While some of the binaries are cryptographically signed to verify the
> identity of the packager, they make no other guarantees. Until the
day comes
> when a trusted distributor of binary open source software can issue a
strong
> cryptographic guarantee that a particular binary is the result of a
given
> source, any security expectations one may have about the source can't
be
> transferred to the binary.
>
> Open Source makes it easy for the bad guys to find vulnerabilities.
Closed source makes it easy for MS to hide from users that MS screwed
up/introduced vulnerabilities. Vulnerabilities that can be found, and
spread thru a network of black hats, leaving you in the dark in order to
protect MS goodwill and image. That make me feel _real_ safe...
> Whatever potential Open Source has to make it easy for the good guys
to
> proactively find security vulnerabilities, also goes to the bad guys.
>
> It is true that a black hat can find vulnerabilities in a binary-only
> application, and that they can attempt to steal the source code to the
> application from its closed source. But in the same amount of time
they can
> do that, they can audit ten different open source applications for
> vulnerabilities. A bad guy that can operate a hex editor can probably
manage
> to grep source code for 'strcpy'.
>
> Security through obscurity is not something you should depend on, but
it can
> be an effective deterrent if the attacker can find an easier target.
And if the company you bought your software from employed a black hat?
Or _is_ the black hat???
> So does all this mean Open Source Software is no better than closed
source
> software when it comes to security vulnerabilities? No. Open Source
Software
> certainly does have the potential to be more secure than its closed
source
> counterpart.
Exactly!
> But make no mistake, simply being open source is no guarantee of
security.
Who claimed it was a _guarantee_?
--
"It's the best $50 bucks I ever spent. I would have paid five
times that for what your 'New You' packet allowed me to do!!!"
-- K. Waterbury, CA
Martin A. Boegelund.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: jansens_at_ibm_dot_net (Karel Jansens)
Crossposted-To:
comp.os.os2.advocacy,comp.sys.mac.advocacy,comp.os.ms-windows.nt.advocacy
Subject: Re: Backdoors in Windows 2000 or server software?
Date: 18 Apr 2000 10:09:12 GMT
Marty <[EMAIL PROTECTED]> wrote:
> Joseph wrote:
> >
> >
> > I haven't seen any article saying any MS empolyee was fired in
> > conjunction with the "weenie" bug.
>
> That was my assumption from what was written in a URL that you posted:
>
>http://news.cnet.com/news/0-1003-200-1696137.html?tag=st.ne.1002.tgif.1003-200-1696137?st.ne.fd.gif.c
>
> 'Software code enabling the back door includes the phrase "Netscape engineers
> are weenies!" The Microsoft spokeswoman made it clear the engineers' action is
> a firing offense. "It's absolutely against Microsoft policy, and Microsoft is
> looking into it seriously," she said.'
Yeah. With their track record, probably to find out how to get away
with it next time.
Karel Jansens
jansens_at_attglobal_dot_net
========================================================
CIA-bait:
Saddam Hussein Iraq Iran hijack assasinate CIA plutonium
President of the United States thermonuclear device
Windows weapons FBI biohazard Microsoft uranium
submarine kill timer explosives
Have a nice day, guys!
========================================================
------------------------------
From: jansens_at_ibm_dot_net (Karel Jansens)
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.sys.mac.advocacy,comp.os.os2.advocacy
Subject: Re: Become a Windows Registry Expert!
Date: 18 Apr 2000 10:09:12 GMT
"Tim Mayer" <[EMAIL PROTECTED]> wrote:
>
> I like WordPerfect, and even both recognize and accept that PerfectOffice
> is every bit as good as MS Office (based on a Gartner Group report). Now
> that it's bundled with Corel PerfectLinux, I like it even more.
>
<warmly embracing believer, formerly suspected of herecy, back into
the ranks of the One and True Faith>
The Lord has brought our brother back! F10, F10, F10!!!
Karel Jansens
jansens_at_attglobal_dot_net
========================================================
CIA-bait:
Saddam Hussein Iraq Iran hijack assasinate CIA plutonium
President of the United States thermonuclear device
Windows weapons FBI biohazard Microsoft uranium
submarine kill timer explosives
Have a nice day, guys!
========================================================
------------------------------
From: jansens_at_ibm_dot_net (Karel Jansens)
Crossposted-To:
comp.os.os2.advocacy,comp.os.ms-windows.nt.advocacy,comp.sys.mac.advocacy
Subject: Re: Become a Windows Registry Expert!
Date: 18 Apr 2000 10:09:17 GMT
Marty <[EMAIL PROTECTED]> wrote:
> George Graves wrote:
> >
> > In article <[EMAIL PROTECTED]>, Marty <[EMAIL PROTECTED]>
> > wrote:
> >
> > >George Graves wrote:
> > >>
> > >> Don't worry, I won't. I have learned that the only thing that Apple
> > >> could ever do to please Wintrolls who post on CSMA is to roll over,
> > >> belly-up and die. With Apple gone, they wouldn't have that little
> > >> nagging voice in their head that keeps saying "did I choose the wrong
> > >> platform?" Because with no Apple, there would be only ONE platform and
> > >> the Wintrolls could sleep secure in their beds with no nasty Apple
> > >> confusing them with that pesky Macintosh.
> > >
> > >A common misconception. PC owners are becoming increasingly aware that
> > >there are alternatives to MS based products, thus there are far for than
> > >"one" platform available.
> >
> > With what, pray tell, to run on them?
>
> It's called "software" I think.
ROTFCMBALMAO!!!
Karel Jansens
jansens_at_attglobal_dot_net
========================================================
CIA-bait:
Saddam Hussein Iraq Iran hijack assasinate CIA plutonium
President of the United States thermonuclear device
Windows weapons FBI biohazard Microsoft uranium
submarine kill timer explosives
Have a nice day, guys!
========================================================
------------------------------
From: [EMAIL PROTECTED] (david parsons)
Crossposted-To:
comp.unix.bsd.freebsd.misc,comp.unix.bsd.openbsd.misc,comp.unix.bsd.misc,comp.unix.bsd.netbsd.misc,comp.os.qnx
Subject: Re: BSD & Linux
Date: 18 Apr 2000 01:33:24 -0700
In article <8ddtve$87e$[EMAIL PROTECTED]>,
Michael Kagalenko <[EMAIL PROTECTED]> wrote:
> Personally, I am not sure about this. Have any of you guys tried QNX demo
>disk at http://qnx.com/iat/index.html ?
>
>They fit a kernel, networking, windowing system with a browser and
>dialer and a few misc. applications like a web server on one 1.44 floppy. I doubt
>this can be done with *BSD and Linux.
I'm not going to talk about putting FreeBSD on a floppy, but I do a
Linux distribution and I can fit a kernel and 2000k of userland on a
1.44mb floppy. The thing that the QNX demo _really_ shows off is
that they've managed to write a teeny tiny graphical environment to
go on a floppy. QNX is probably a fairly nice OS, but wedging a
usable graphical environment onto a floppy disk shows a sort of
frugality that you don't see often these days.
____
david parsons \bi/ FreeBSD, alas, is still 500k (compressed) ahead of
\/ Linux on the kernel bloat front :-(
------------------------------
From: "TiMOiD" <[EMAIL PROTECTED]>
Crossposted-To: alt.comp.periphs.videocards.nvidia,comp.os.ms-windows.nt.advocacy
Subject: Re: Detonators 5.14 UP!!!!!!!!
Date: Tue, 18 Apr 2000 19:38:10 +1000
dont use those the 5.13/5.14 drivers... my monitor had a retrace line that
had the rgb colours spread from it; i went back to 3.84 and it disapeared...
that couldnt have been good....
it was at 1024x768x16bit @ 75hz or higher on black.
"abraxas" <[EMAIL PROTECTED]> wrote in message
news:8ddan8$1k8d$[EMAIL PROTECTED]...
> In comp.os.linux.advocacy TiMOiD <[EMAIL PROTECTED]> wrote:
> > The Win2k TNT2 drivers (5.14) are still sucky... 5 minutes after a
restart,
> > oooh look a lovely BSOD. damn huh.
>
> Indeed they are. They are absolutely the worst things ive ever seen.
>
> They also absolutely prohibit directX taking full console control (full
screen
> mode). They are a half-assed attempt at BEST.
>
> Thanks microsoft, for yet more innovative and world changing code.
>
>
>
>
> -----yttrx
>
------------------------------
From: [EMAIL PROTECTED] (Rob S. Wolfram)
Crossposted-To:
comp.os.ms-windows.nt.advocacy,comp.os.os2.advocacy,comp.sys.mac.advocacy
Subject: Re: Backdoors in Windows 2000 or server software?
Date: 18 Apr 2000 09:02:34 GMT
Reply-To: [EMAIL PROTECTED]
Christopher Smith <[EMAIL PROTECTED]> wrote:
>
>"Rob S. Wolfram" <[EMAIL PROTECTED]> wrote in message > /me wonders....
>> Rob (happily using *backdoor free* software).
>
>Have you personally auditted every single line of code running on your
>computer to ascertain this ?
No, I have not, and no, I don't need to. It would be impossible for any
individual to audit every line of code that constitutes the Debian GNU /
Linux distribution, but several Debian developers do (as do may other
people, including security fanatics like Michal Zawenski en Theo de
Raadt (for those applications that are available for most Unixes,
including their own).
Unlike buffer overflows or race conditions, backdoors stand out in
source code and impossible to hide (short of Ken Thompsons C compiler /
login binary trick, which is not applicable anymore).
Because of the peer review that the application in the Debian
distribution have undergone, especiallly the network aware applications,
I *can* state firmly that I'm running backdoor-free software. Of course
I cannot guarantee the same for buffer overflows or race conditions, but
that's a whole other chapter.
Also, the Active Setup "feature" descriped in Bruce Schneiers last
cryptogram (see http://www.counterpane.com/crypto-gram-0004.html ) is a
backdoor. Exactly these kind of "features" will lack in open source
software.
Cheers,
Rob
--
Rob S. Wolfram <[EMAIL PROTECTED]> PGP 0x07606049 GPG 0xD61A655D
Anyway the :// part is an 'emoticon' representing a man with a
strip of sticky tape across his mouth.
-- R. Douglas
------------------------------
From: [EMAIL PROTECTED] (Christopher Browne)
Subject: Re: Why Linux on the desktop?
Reply-To: [EMAIL PROTECTED]
Date: Tue, 18 Apr 2000 09:55:47 GMT
Centuries ago, Nostradamus foresaw a time when Donal K. Fellows would say:
>In article <[EMAIL PROTECTED]>,
>Sascha Bohnenkamp <[EMAIL PROTECTED]> wrote:
>>> IOW, again, HTML isn't "executed code" but simply a set of switches,
>>> like command line switches/arguments.
>> what about SQL?
>
>What about it? (I don't know SQL well enough to know if it has enough
>to be computational in itself. It might...)
It has the ability to do calculations; it has the ability to read
data; it has the ability to update data; it has the ability to
"branch" to different functionality.
Treating "pure SQL" as "Turing equivalent" probably requires some
moderately perverse "programming," as it doesn't directly, I don't
think, provide what you'd consider a "loop."
On The Other Hand, any _real implementation_ provides some form of
programming language substrate that provides looping and the likes...
--
An engineer is someone who does list processing in FORTRAN.
[EMAIL PROTECTED] <http://www.hex.net/~cbbrowne/lsf.html>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.advocacy) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Advocacy Digest
******************************
