Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Peter Miller wrote: As a profession, we have two choices: 1. start licensing and accrediting ourselves, with a structure we can live with, OR 2. wait for Some Really Bad Shit to happen, with a software defect as the root cause, and have the politicians force something upon us... something baroque, bureaucratic and onerous. That assumes that most people in computing do tasks akin to engineering. I think that's an affectation. It seems to me that most people I meet in computing do tasks akin to motor mechanics and light regulation akin to motor mechanics is what is needed. Such an analogy also recognises that there is a range of experience, a range of employers, and even people who prefer to fix their own car. But anyway the real problem is that computers are a tool. By insisting on accreditation you are saying that people can't use the tool without a 3-4 year education. At the moment I'm surrounded by physicists and astronomers -- let me float the idea that they shouldn't program computers And it's not like you can't exempt their systems from some accreditation scheme. Telescopes are essentially huge lumps of moving metal and they can readily kill. Trying to distinguish user from programmer is also dire. If a Excel macro a program? And if you forbid the use of Java by the unwashed, do you then simply get systems written in Excel macros? Cheers, Glen -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
On Tue, 2008-06-03 at 10:21 +0800, jam wrote: On Tuesday 03 June 2008 08:50:26 [EMAIL PROTECTED] wrote: [...] The server had ssh access enabled via password entry and fell victim to a brute force password attack. First thanks to everyone who contributed to this interesting thread :-) Some (and this is critique :-) not criticism) had credible offers eg Mary and turning sendmail into an open relay, but many just had a BadThing happen. Daniel talks about 'brute forcing' a password: say [EMAIL PROTECTED]*()_/?] and 6 chars passwords 6**70 umm 70 * log (2) and 10**8 brute forces / sec I think you mean the much more sedate number of 70^6 combinations. At 10^8 tests per sec, that's a much scarier (70^6)/(10^8) = 1176.5 secs, or under 20 mins to check the entire password space. Fortunately, external brute-force testing of passwords doesn't typically run to anything like that many tests per second! J. -- Jan Schmidt [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
denyhosts keeps track of failures and locks ips out. petter chubb mentioned a three strikes and youre out policy. denyhosts you can choose this threshold, you can also choose for how long the ip is 'out' (which helps to keep the list size down). Using keys myself, and very occasionally passwords - i have two strikes youre out, with 2 week ban time. Dean Rick Welykochy wrote: Dean Hamstead wrote: Denyhosts is a great daemon/cronscript that will manage hosts.allow for your ssh server. you can set thresholds and instant triggers etc which will result in that ip being blocked. Also, can't one use a TCP wrapper with ssh? Either way, it does compromise one of the beauties of working on the Internet. When I head up north for a break, for example, and need to access the server, heaven knows what my IP will be when away from home. There is a door knocking technique that was discussed a couple of years ago on this list to allow you to tap tap tap the server ask it to let you in temporarily. More work of course. Also, you could turn off password auth and just use keys. Yup. Great idea. cheers rickw -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
quote who=Rick Welykochy Adrian Chadd wrote: The trouble is that the entry barrier for coding is so low, you can code without any clue. This very issue gave rise to some heated debate over on the LINK mailing list, which some of you attend. Many of us computer professionals were peeved by this low barrier to entry into the software industry. Computer software creation is not a certified profession like engineering. There are far toomany shiesters out there peddling crap software because they can. This gives rise to many many problems in IT. Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the idea!] - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ The GPL is good. Use it. Don't be silly. - Michael Meeks -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On 02/06/2008, at 3:25 PM, Rev Simon Rumble wrote: This one time, at band camp, Daniel Pittman wrote: [2] formmail. I say no more. Matt's Script Archive, anyone? God... no. make it stop! I was a #perl op on Efnet back in 2000/2001. The channel had officially disowned Matt and anything to do with him. The standard recommendation being Don't. Just... don't. There was even an April Fools Day patch released at some point to prevent the execution of code written by Matt Wright based on the standard copyright message he used to put in everything. I vaguely recall somebody hunting down that patch to apply it to a production Perl install. C. -- Chris Collins [EMAIL PROTECTED] -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, Jun 02, 2008, Jeff Waugh wrote: Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the idea!] Heh. They don't suspect the real issue with accreditation? That suddenly Universities will have to teach a real CompSci and Software Engineering degree, and that degree will probably be 4 or 5 years long, including internships and honours-level project (mandated like the Electronic/Electrical engineering degrees seem to here at UWA); because Writing Good Software is Hard ? Ah, if only writing software held the same risks and building bridges. :) Adrian (Who should really get a CompSci degree from a reputable CompSci university sometime.. anyone know any?) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
This one time, at band camp, Chris Collins wrote: Matt's Script Archive, anyone? God... no. make it stop! I was a #perl op on Efnet back in 2000/2001. The channel had officially disowned Matt and anything to do with him. The standard recommendation being Don't. Just... don't. And a whole project to re-implement them properly: http://nms-cgi.sourceforge.net/ -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Nerds need vacations too. http://engineer.openguides.org/ Hockey is a sport for white men. Basketball is a sport for black men. Golf is a sport for white men dressed like black pimps. - Tiger Woods -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
This one time, at band camp, Adrian Chadd wrote: Ah, if only writing software held the same risks and building bridges. :) You mean engineers don't test their newly-built bridge by driving a dozen variously-shaped vehicles across it, before opening it up to all and sundry? -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Because nerds travel too. http://engineer.openguides.org/ The idea that Bill Gates has appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams on Windows '95. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Adrian Chadd wrote: Ah, if only writing software held the same risks and building bridges. :) It does. Here is the classic: http://en.wikipedia.org/wiki/Therac-25 http://catless.ncl.ac.uk/Risks/3.09.html This dates from way back in 1986. Mike -- Michael Lake Computational Research Centre of Expertise Science Faculty, UTS Ph: 9514 2238 -- UTS CRICOS Provider Code: 00099F DISCLAIMER: This email message and any accompanying attachments may contain confidential information. If you are not the intended recipient, do not read, use, disseminate, distribute or copy this message or attachments. If you have received this message in error, please notify the sender immediately and delete this message. Any views expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the views of the University of Technology Sydney. Before opening any attachments, please check them for viruses and defects. Think. Green. Do. Please consider the environment before printing this email. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, Jun 02, 2008, Michael Lake wrote: Adrian Chadd wrote: Ah, if only writing software held the same risks and building bridges. :) It does. Here is the classic: http://en.wikipedia.org/wiki/Therac-25 http://catless.ncl.ac.uk/Risks/3.09.html This dates from way back in 1986. Oh yes, there are specific areas like this where screwups kill people. I meant writing software in general. Adrian -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, 2008-06-02 at 20:33 +1000, James Purser wrote: So how would you develop such a system whilst also allowing for the freedom and low barrier to entry that signifies the Free and Open Source Software movement? I expect that when regulation is forced upon us, barriers to entry iwill be the whole point/i. Unless we get in first. Will the parallel be: you get malpractice insurance, or you can have your future wages garnished forever if you get sued. Doctors have to pay their malpractice insurance to have their pro-bono work covered. I expect software folks will too. As a rough and ready idea, could this be something that OSIA could get involved with? Could OSIA be a partner in such a scheme? Or is it something that should be tackled by an independent body. I expect that OSIA *is* an independent body, at least as much as ACS is if not more so, in this context. Regards Peter Miller [EMAIL PROTECTED] /\/\*http://miller.emu.id.au/pmiller/ PGP public key ID: 1024D/D0EDB64D fingerprint = AD0A C5DF C426 4F03 5D53 2BDB 18D8 A4E2 D0ED B64D See http://www.keyserver.net or any PGP keyserver for public key. You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time. -- Bertrand Meyer signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
quote who=Rev Simon Rumble This one time, at band camp, Adrian Chadd wrote: Ah, if only writing software held the same risks and building bridges. :) You mean engineers don't test their newly-built bridge by driving a dozen variously-shaped vehicles across it, before opening it up to all and sundry? No way dude, they drive a dozen variously-shaped vehicles into the harbour, then build out the sides of the bridge until the cars stop falling off! TDD for the win! - Jeff -- OSCON 2008: Portland OR, USA http://conferences.oreilly.com/oscon/ Maybe you should put some shorts on or something, if you want to keep fighting evil today. - The Bowler, Mystery Men -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, 2008-06-02 at 20:21 +1000, Peter Miller wrote: On Mon, 2008-06-02 at 16:31 +1000, Jeff Waugh wrote: Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the idea!] As a profession, we have two choices: 1. start licensing and accrediting ourselves, with a structure we can live with, OR 2. wait for Some Really Bad Shit to happen, with a software defect as the root cause, and have the politicians force something upon us... something baroque, bureaucratic and onerous. I know which I would prefer. So how would you develop such a system whilst also allowing for the freedom and low barrier to entry that signifies the Free and Open Source Software movement? This was going to be the biggest problem with the ACS proposal, in that there hadn't at the time been any thought of how those in the FOSS world who may not be cert or degree qualified but were equally skilled and knowledgable could partake. I'm not saying that there isn't room for a certification/accreditation type scheme, especially within the big corp and government sectors, I'm just curious as to how it could be done. As a rough and ready idea, could this be something that OSIA could get involved with? Could OSIA be a partner in such a scheme? Or is it something that should be tackled by an independent body. -- James Purser http://jamespurser.com.au Mob: 0406 576 553 Ph: +61 2 8210 6725 Skype: purserj1977 signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, 2008-06-02 at 16:31 +1000, Jeff Waugh wrote: Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the idea!] As a profession, we have two choices: 1. start licensing and accrediting ourselves, with a structure we can live with, OR 2. wait for Some Really Bad Shit to happen, with a software defect as the root cause, and have the politicians force something upon us... something baroque, bureaucratic and onerous. I know which I would prefer. Regards Peter Miller [EMAIL PROTECTED] /\/\*http://miller.emu.id.au/pmiller/ PGP public key ID: 1024D/D0EDB64D fingerprint = AD0A C5DF C426 4F03 5D53 2BDB 18D8 A4E2 D0ED B64D See http://www.keyserver.net or any PGP keyserver for public key. Caffeine is the only way to make my brain run in single-threaded mode. -- David Brady signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Peter Miller wrote: iwill be the whole point/i. Unless we get in first. Will the parallel be: you get malpractice insurance, or you can have your future wages garnished forever if you get sued. Doctors have to pay their malpractice insurance to have their pro-bono work covered. I expect software folks will too. Regulation won't be forced apon us. You already need to get professional indemnity to work with most govt depts. The biggest problem with software development is that any type of regulation is not going to stop people making mistakes. What is needed is better methods, tools and processes to stop errors becoming problems. I think everyone is getting mature enough to realise that this is a better way to go. The barrier of entry to software development is always going to remain low. Its going to get lower and lower as well. The horse has bolted on regulation of software producers as an industry. Regulating the individuals by means of contracts is already in place and largely works pretty well I think. I think a good combination of contracts and good practices is going to be how it is for a long time yet. The thing is, that something bad happening should be blamed not on the programmer, but on the testers, the project managers etc. Anything where something really bad is going to happen is going to be a team effort :) And software remains and should always remain as a field where accurate tests of the components and the whole can ensure correctly working functionality. Its a pretty unique thing, where you get to drive train after car after hurricane over that bridge and see what happens dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, Jun 02, 2008, Peter Miller wrote: Will the parallel be: you get malpractice insurance, or you can have your future wages garnished forever if you get sued. Doctors have to pay their malpractice insurance to have their pro-bono work covered. I expect software folks will too. If the analogy holds too closely, the inability of people to start their careers in Free Software is the same: the insurance would only possible to get if you happen to be trained and accredited in the approved manner and could well depend on having prior supervised professional experience. If a world that looks anything like the medical litigation landscape happens in software, Free Software will look awfully different, that's for sure, and it likely won't have the appeal of being a good place to learn without a heavy cash investment. I think I'm on the opposite side of the fence from most people here: if the world was likely to demand that kind of quality assurance from the industry, I suspect it would have already done so in a manner impossible to ignore. I suppose a demonstration that that kind of quality is achievable for a suitable price would change things. -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, 2 Jun 2008 at 14:59, Jason Ball [EMAIL PROTECTED] wrote: Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. I've seen a range of plausible reasons and hard statistics to back up Linux supporters' assertions that the frequency of compromises on Windows systems is due to far more than just its sheer install base. I'd hate to see Linux users start to solely use the 'market share' argument against other, less used, operating systems. -- Your toaster doesn't crash. Your television doesn't crash. Why should your computer? http://www.linux.org.au/linux signature.asc Description: This is a digitally signed message part. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
So how would you develop such a system whilst also allowing for the freedom and low barrier to entry that signifies the Free and Open Source Software movement? I expect that when regulation is forced upon us, barriers to entry iwill be the whole point/i. Unless we get in first. Will the parallel be: you get malpractice insurance, or you can have your future wages garnished forever if you get sued. Doctors have to pay their malpractice insurance to have their pro-bono work covered. I expect software folks will too. I think you miss the entire point here. Firstly how are you going to police this? expoits are found in most pieces of software daily. The problem is that software is not perfect you have one flaw that is behind the development of all software, and that is the human brain. there is a famous quote in IT and that is no one has been fired for buying Microsoft, but if you installed anything else... With the amount of Outages experienced why hasn't organisations started Class action for the total outage due to software realted issues? This is unworkable you can't do it. Firstly with issues addressing compromised boxes I squarely place the blame at the sys admin or the owner of the box regardless of their technical skills. Regular updates are part and parcel of owning a system. if your box is compromised it's your fault and no one elses. I don't care if it's linux, windows, or OSX if you installed it, it's yours to maintain thus your responsibility. Time to reclaim ownership. As a rough and ready idea, could this be something that OSIA could get involved with? Could OSIA be a partner in such a scheme? Or is it something that should be tackled by an independent body. I expect that OSIA *is* an independent body, at least as much as ACS is if not more so, in this context. roflmao -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Adrian Chadd wrote: The trouble is that the entry barrier for coding is so low, you can code without any clue. This very issue gave rise to some heated debate over on the LINK mailing list, which some of you attend. Many of us computer professionals were peeved by this low barrier to entry into the software industry. Computer software creation is not a certified profession like engineering. There are far toomany shiesters out there peddling crap software because they can. This gives rise to many many problems in IT. I guess I am lucky enough to see the other side of the story.. both here and overseas.. When I was growing up, there wasn't enough money for university. So accreditation was frankly impossible - only open to kids with richer parents. Those more privileged than myself. Through hard work.. way more than getting a degree.. I hacked out a career in software. Against all the odds.. Living I get from it now is not too bad.. Recently, in my travels and open source exploits, I have had the privilege to help young programming hopefuls in poor countries get runs on the board to enable them to then go off and get proper paid work in their own countries. They do some coding, i pay them and give them a reference. Often they go off to bigger and better things.. It's been tremendously rewarding... I wouldn't say that the quality of these young hopefuls is any less good than a university student of the same age At the end of the day... software is judged by whether it works for the customer or not. Not whether it has a long list of accreditations. If you want to find toomany shiesters out there peddling crap... I suggest you go look in the accreditation industry is it little more than selling pretentious scout badges to detract from the quality of the software ? Seriously... how many of the worlds best open source projects are properly accredited from the start ? please... lets keep the self balancing system. David -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
At the end of the day... software is judged by whether it works for the customer or not. Not whether it has a long list of accreditations. Thats nonsense. Management will continue to buy software and force it upon their engineers and techs based on the all important characteristics of... - market hype - sales pitches - pretty colors - friendships and strategic alliances - flashy logos and websites - expensive lunches - cheapest quote If you want to find toomany shiesters out there peddling crap... I suggest you go look in the accreditation industry is it little more than selling pretentious scout badges to detract from the quality of the software ? open source software does tend to speak for itself. it will tend to get to a certain stage when it will self cleanse. Seriously... how many of the worlds best open source projects are properly accredited from the start ? The difference is, open source will tend to get better. However once you have paid for some piece of junk software - you may be stuck with it. Dean -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Monday 02 June 2008 21:43:25 [EMAIL PROTECTED] wrote: Yet there are so many who go nuts when the idea of accreditation is raised. :-) [This cheap shot does not indicate my support for or against the : idea!] As a profession, we have two choices: 1. start licensing and accrediting ourselves, with a structure we can live with, OR 2. wait for Some Really Bad Shit to happen, with a software defect as the root cause, and have the politicians force something upon us... something baroque, bureaucratic and onerous. I know which I would prefer. I ponder and wrestle with the issue: The uni's do not teach how to write *good* code, instead they do teach how to write robust garden code (and job preservation 'cause only *they* can read Hungerian Notation). I watched my children and their mates, all graduates of different uni's write code: creative, elegant, complicated and eshrew simple and clean. Now since the requirements for different code are different ie my daughter writes billing code for iinet: It needs to be part of a team solution, and needs to be independent of her ... I wrote the code used by PTC trains throughout NSW to read track transponders (and else where in Oz). That is very complicated signal processing, and since it is in ROM no defects are allowed (and none found in the last 10+ years) So I would (probably) never gain accreditation (Too simple, ridged, pedantic, exact) and she could never write the train transponder code (but is an ideal candidate for accreditation) She helped with the code for an olive picking robot http://tigger.ws/vtigger/main.php?g2_itemId=991 Over and over I had to redo her code as it failed simple, clean, designed-for-3-major-revisions', read as bedtime stories. So how on earth would we achieve the accreditation that meets both requirements. And if a accredited programmer stuffs up then ALL are branded. I go even further to suggest If you lean to program in basic, you are ruined as a programmer for ever applies to the current situation :-) Ponder ponder James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Sridhar Dhanapalan wrote: On Mon, 2 Jun 2008 at 14:59, Jason Ball [EMAIL PROTECTED] wrote: Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. I've seen a range of plausible reasons and hard statistics to back up Linux supporters' assertions that the frequency of compromises on Windows systems is due to far more than just its sheer install base. I'd hate to see Linux users start to solely use the 'market share' argument against other, less used, operating systems. As pointed out previously, one contributing factor to x86 Windows and Linux architectures being popular targets is that there is significant payback in writing attack software for platforms that are ubiquitous. The rarer the system, the less likely there is blackhat experience to crack it. Market share is a factor. But as we all know, a house of cards built of shakey foundations is another factor. BSD and Sun zealots do claim that their software systems are much more robust/stable than Linux and Windows. I cannot respond to that claim. Regarding your sig: Your toaster doesn't crash. Your television doesn't crash. Why should your computer? http://www.linux.org.au/linux The answer should be obvious. A dedicated computer running an appliance runs heavily tested software dedicated to one purpose and a well-known hardware set. A general purpose computer running any variety of software you install along with a conglomerate of possibly never before tried hardware suffers the combinatorial explosion of interactions and complexity that a toaster never experiences. The devil is in the detail of general-purpose vs purpose-built. cheers rick -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Tue, Jun 3, 2008 at 10:47 AM, Rick Welykochy [EMAIL PROTECTED] wrote: Sridhar Dhanapalan wrote: On Mon, 2 Jun 2008 at 14:59, Jason Ball [EMAIL PROTECTED] wrote: Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. I've seen a range of plausible reasons and hard statistics to back up Linux supporters' assertions that the frequency of compromises on Windows systems is due to far more than just its sheer install base. I'd hate to see Linux users start to solely use the 'market share' argument against other, less used, operating systems. As pointed out previously, one contributing factor to x86 Windows and Linux architectures being popular targets is that there is significant payback in writing attack software for platforms that are ubiquitous. The rarer the system, the less likely there is blackhat experience to crack it. Market share is a factor. But as we all know, a house of cards built of shakey foundations is another factor. BSD and Sun zealots do claim that their software systems are much more robust/stable than Linux and Windows. I cannot respond to that claim. Regarding your sig: Your toaster doesn't crash. Your television doesn't crash. Why should your computer? http://www.linux.org.au/linux The answer should be obvious. A dedicated computer running an appliance runs heavily tested software dedicated to one purpose and a well-known hardware set. A general purpose computer running any variety of software you install along with a conglomerate of possibly never before tried hardware suffers the combinatorial explosion of interactions and complexity that a toaster never experiences. The devil is in the detail of general-purpose vs purpose-built. That said, I know a great knife-related toaster bug. For some reason instead of fixing it the designers just added warnings to the user manual saying don't use this combination of inputs. Sam -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
I have often found that feeding the output of the toaster, back into the toaster demonstrates an overflow bug, requiring opening all of the windows and doors. On Tue, Jun 3, 2008 at 10:53 AM, Sam Gentle [EMAIL PROTECTED] wrote: On Tue, Jun 3, 2008 at 10:47 AM, Rick Welykochy [EMAIL PROTECTED] wrote: Sridhar Dhanapalan wrote: On Mon, 2 Jun 2008 at 14:59, Jason Ball [EMAIL PROTECTED] wrote: Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. I've seen a range of plausible reasons and hard statistics to back up Linux supporters' assertions that the frequency of compromises on Windows systems is due to far more than just its sheer install base. I'd hate to see Linux users start to solely use the 'market share' argument against other, less used, operating systems. As pointed out previously, one contributing factor to x86 Windows and Linux architectures being popular targets is that there is significant payback in writing attack software for platforms that are ubiquitous. The rarer the system, the less likely there is blackhat experience to crack it. Market share is a factor. But as we all know, a house of cards built of shakey foundations is another factor. BSD and Sun zealots do claim that their software systems are much more robust/stable than Linux and Windows. I cannot respond to that claim. Regarding your sig: Your toaster doesn't crash. Your television doesn't crash. Why should your computer? http://www.linux.org.au/linux The answer should be obvious. A dedicated computer running an appliance runs heavily tested software dedicated to one purpose and a well-known hardware set. A general purpose computer running any variety of software you install along with a conglomerate of possibly never before tried hardware suffers the combinatorial explosion of interactions and complexity that a toaster never experiences. The devil is in the detail of general-purpose vs purpose-built. That said, I know a great knife-related toaster bug. For some reason instead of fixing it the designers just added warnings to the user manual saying don't use this combination of inputs. Sam -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- Regards, Martin Martin Visser -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Martin Visser wrote: I have often found that feeding the output of the toaster, back into the toaster demonstrates an overflow bug, requiring opening all of the windows and doors. Funny that. And I have found that feeding the output of Windows back into Windows often results in toast! cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
On Tuesday 03 June 2008 08:50:26 [EMAIL PROTECTED] wrote: [...] The server had ssh access enabled via password entry and fell victim to a brute force password attack. [...] I still do not know how the attacker located the machine. I presume it was probably through a port scan which may have taken place some time before. The most likely case is that they found the machine by brute force as well; a fair proportion of hostile modern software simply picks random IP addresses and attacks them in the hope that there is something vulnerable. This has the benefit, for the attacker, of turning up things that don't get advertised, and of having a very low cost to identify targets -- especially when the economies of scale result in your large network being able to randomly scan more and more of the overall network. First thanks to everyone who contributed to this interesting thread :-) Some (and this is critique :-) not criticism) had credible offers eg Mary and turning sendmail into an open relay, but many just had a BadThing happen. Daniel talks about 'brute forcing' a password: say [EMAIL PROTECTED]*()_/?] and 6 chars passwords 6**70 umm 70 * log (2) and 10**8 brute forces / sec thats 10 to the power 60 secs! Sorry the universe went flat. The the famous Win Mac Linux security shoot off: Win and Mac broken but no body wanted the $10,000 and Sony Viao for breaking the linux box. H. James -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
quote who=jam The the famous Win Mac Linux security shoot off: Win and Mac broken but no body wanted the $10,000 and Sony Viao for breaking the linux box. H. These events are more about reputation and strutting than money. Reckon that cracking into a Linux machine is going to do more for your rep than finding a seriously scary and damaging vector into a Mac or Windows machine? That's what those dudes were after (and found). - Jeff -- GUADEC 2008: Istanbul, Turkey http://www.guadec.org/ The Unix Way: Everything is a file. The Linux Way: Everything is a filesystem. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
jam wrote: Daniel talks about 'brute forcing' a password: say [EMAIL PROTECTED]*()_/?] and 6 chars passwords 6**70 umm 70 * log (2) and 10**8 brute forces / sec thats 10 to the power 60 secs! Sorry the universe went flat. Or collapsed to a singularity. As Bruce Schneier points out here: http://www.schneier.com/blog/archives/2007/01/choosing_secure.html most passwords are much more limited in variety than the 6**70 in your estimate. That article discusses offline password cracking, but many of the points he raises apply to online password cracking. * a surpiring number of admins leave the password unchanged as installed out of the box * there are passwords out there that are simply 'password' And, When attacking programs with deliberately slow ramp-ups, it's important to make every guess count. A simple six-character lowercase exhaustive character attack, aa through zz, has more than 308 million combinations. And it's generally unproductive, because the program spends most of its time testing improbable passwords like pqzrwj. According to Eric Thompson of AccessData, a typical password consists of a root plus an appendage. A root isn't necessarily a dictionary word, but it's something pronounceable. An appendage is either a suffix (90 percent of the time) or a prefix (10 percent of the time). So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like letmein, password, 123456 and so on. Then it tests them each with about 100 common suffix appendages: 1, 4u, 69, abc, ! and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations. I am running a server that was getting heaps of password cracking attempts on SSH port 22. Since changing the port, the attempts have stopped. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
jam wrote: First thanks to everyone who contributed to this interesting thread :-) Isn't it about time this opinionboring/opinion thread went onto slug-chat? :-) -- Sonia Hamilton. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
On Tue, Jun 03, 2008, Sonia Hamilton wrote: jam wrote: First thanks to everyone who contributed to this interesting thread :-) Isn't it about time this opinion boring/opinion thread went onto slug-chat? There's probably additional boredom to be had in saying which bits of it, but in terms of on-topicness: - details of how to compromise a Linux machine, how not to, and whether we know of it being done are probably on topic here, regardless of whether they're particularly interesting - the accreditation discussion is off-topic according to http://www.slug.org.au/mailinglists.html except for the minor side-thread about how it would affect FOSS development: The main discussion list, slug@slug.org.au, is where all the discussion goes on. Everything related to installing, maintaining, developing on Linux or Free/Open Source Software is on topic for this list... -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
I am running a server that was getting heaps of password cracking attempts on SSH port 22. Since changing the port, the attempts have stopped. Denyhosts is a great daemon/cronscript that will manage hosts.allow for your ssh server. you can set thresholds and instant triggers etc which will result in that ip being blocked. Also, you could turn off password auth and just use keys. Dean -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
Dean Hamstead wrote: Denyhosts is a great daemon/cronscript that will manage hosts.allow for your ssh server. you can set thresholds and instant triggers etc which will result in that ip being blocked. Also, can't one use a TCP wrapper with ssh? Either way, it does compromise one of the beauties of working on the Internet. When I head up north for a break, for example, and need to access the server, heaven knows what my IP will be when away from home. There is a door knocking technique that was discussed a couple of years ago on this list to allow you to tap tap tap the server ask it to let you in temporarily. More work of course. Also, you could turn off password auth and just use keys. Yup. Great idea. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
Rick == Rick Welykochy [EMAIL PROTECTED] writes: Rick Dean Hamstead wrote: Denyhosts is a great daemon/cronscript that will manage hosts.allow for your ssh server. you can set thresholds and instant triggers etc which will result in that ip being blocked. Rick Also, can't one use a TCP wrapper with ssh? Either way, it does Rick compromise one of the beauties of working on the Internet. When Rick I head up north for a break, for example, and need to access the Rick server, heaven knows what my IP will be when away from home. Depends how you set it up. Mine has a `three tries and you're out' policy. And as I use an ssh-agent on my (carry around) laptop, there's no chance of being locked out accidentally. Peter C -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs
[EMAIL PROTECTED] wrote: Depends how you set it up. Mine has a `three tries and you're out' policy. And as I use an ssh-agent on my (carry around) laptop, there's no chance of being locked out accidentally. I assume three times password fails and you're out, right? That's interesting. Can one configure ssh so that the password attempts are TCP wrapped, but the cert-based (ssh-agent) logins are always allowed, no matter where you are? cheers rick -- Rick Welykochy || Praxis Services || Internet Driving Instructor If stupidity got us into this mess, then why can't it get us out? --Will Rogers -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
I suspect a bunch of people are going to jump into this thread, but to get in early, some stories: - a Red Hat 5 box left to rot (this was some time ago now!), became a host for warez and ended up comprising something like half of its very substantial network's total traffic. - a sendmail install which was either set up as an open relay or compromised and turned into one, noticed almost immediately because of massive network usage - an up-to-date machine run by a competant hobbyist sysadmin of a skill level comprable to many people posting here, turned out to be an compromise through a WordPress install that wasn't up to date, took a while to track down apparently, it was participating in DDoS attacks And of course, in November 2003, debian.org itself was the victim of an attack by, I think, a still unknown vector: http://www.debian.org/News/2003/20031121 but that might not meet your criteria of having been used for a nefarious purpose as opposed to 'just' having been broken into. The (few) security consultants I know seem to have universally had their personal machines compromised at some point, this seems to partly be a result of being more likely to notice, and partly due to attending security conferences, where the networks are extremely hostile. I suspect attacks through web apps like WordPress are pretty common causes of comprise of machines run by essentially knowledgable people at the moment, because there doesn't seem yet to be a good set of best practices for packaging and updating them (upstream tends to aims their instructions at people who might not even have shell access, let alone root access, and there's the whole plugin universe too). -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
This one time, at band camp, Mary Gardiner wrote: I suspect attacks through web apps like WordPress are pretty common causes of comprise of machines run by essentially knowledgable people at the moment, because there doesn't seem yet to be a good set of best practices for packaging and updating them (upstream tends to aims their instructions at people who might not even have shell access, let alone root access, and there's the whole plugin universe too). Yet people regularly ask me why there's no comments on my blog. This and the fact I couldn't be bothered keeping it up-to-date with the latest comment spam blocking hacks. -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Nerds need vacations too. http://engineer.openguides.org/ Famous remarks are very seldom quoted correctly. - Simeon Strunsky -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Mary Gardiner wrote: I suspect attacks through web apps like WordPress are pretty common causes of comprise of machines run by essentially knowledgable people at the moment, because there doesn't seem yet to be a good set of best practices for packaging and updating them (upstream tends to aims their instructions at people who might not even have shell access, let alone root access, and there's the whole plugin universe too). Out of curiosity, I often query the server used in the links provided in phishing scam emails. More often than not, the phishing box is a compromised Linux server running Apache and PHP. Rarely do I see a Windows server :( I would tend to blame an out-of-date PHP install rather than Apache as being the attack vector. If you are on AusCert or DebSec, you will know how many exploits are disovered in PHP 4 and 5. And they keep finding more. I did do a PHP install and was amazed at the server info p[ag. There are a myriad of hacks and fixes in PHP, as reflected in the PHP system variables, to turn off all sorts of insecure features. I got the feeling that out of the box and with little technical knowledge, PHP is not a healthy addition to any Linux server. Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? there are a lot of people out there setting up linux machines who really havent got the skills to do so. not listing any names... ausgamers.com Dean -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? More than likely. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Rick Welykochy [EMAIL PROTECTED] writes: Mary Gardiner wrote: I suspect attacks through web apps like WordPress are pretty common causes of comprise of machines run by essentially knowledgable people at the moment, because there doesn't seem yet to be a good set of best practices for packaging and updating them (upstream tends to aims their instructions at people who might not even have shell access, let alone root access, and there's the whole plugin universe too). Out of curiosity, I often query the server used in the links provided in phishing scam emails. More often than not, the phishing box is a compromised Linux server running Apache and PHP. Rarely do I see a Windows server :( I would tend to blame an out-of-date PHP install rather than Apache as being the attack vector. If you are on AusCert or DebSec, you will know how many exploits are disovered in PHP 4 and 5. Much as I love putting the boot into PHP, this isn't actually *directly* the fault of the language. This is usually that there are a stupidly large number of remote command injection and remote file inclusion vulnerabilities in PHP applications.[1] And they keep finding more. I did do a PHP install and was amazed at the server info p[ag. There are a myriad of hacks and fixes in PHP, as reflected in the PHP system variables, to turn off all sorts of insecure features. I got the feeling that out of the box and with little technical knowledge, PHP is not a healthy addition to any Linux server. I would argue that *any* remotely accessible service is not a good addition to a Linux box with only a little technical knowledge. Many years ago, when I was younger and dinosaurs walked the earth, Perl was the hateful language of the day: most of the crappy CGI software out there that let people break in was written in Perl.[2] PHP has taken over the role of popular, easy to use web language, so has pickup up many of the same people who used to cause trouble with poorly written Perl scripts. Not wishing to start an OS war, but I rarely if ever have seen a BSD or Sun box compromised. Is this due to sheer numbers of Linux and Doze? Yes. Back when *BSD had significant technical advantages in TCP/IP performance, and when Sun was much more prevalent on the Internet, they were often compromised. These days, not so much, just because they are not as easy to find and most attacks are now very much automated try everything and see what sticks attacks that don't run outside their mainline platform. Compromises of !x86 Linux boxes are also much lower, for the same reason: many of the binary exploits just don't work, and no one bothers porting them to the underlying architecture. Regards, Daniel Footnotes: [1] PHP is arguably indirectly responsible for this, through poor design of the language and encouraging poor use of the tools, but I don't see a great deal of value in arguing about that. ;) [2] formmail. I say no more. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
This one time, at band camp, Daniel Pittman wrote: [2] formmail. I say no more. Matt's Script Archive, anyone? -- Rev Simon Rumble [EMAIL PROTECTED] www.rumble.net The Tourist Engineer Just because you're on holiday, doesn't mean you're not a geek. http://engineer.openguides.org/ A conservative is a man who believes that nothing should be done for the first time. - Alfred E Wiggam -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Daniel Pittman wrote: [2] formmail. I say no more. The perl language has been pretty bullet proof. I do recall one string-based exploit in the many many years I have been using it. That said, yup, scripts like formmail are written by monkeys in the 11th level hell and sent to torment sys admins. I was running an ISP and in my early days I stupidly allowed some customers to upload their own perl CGI scripts to our (only) main web server. After watching the machine being brought down to its knees due to inexperienced coding (don't ask) I learnt my lesson very quickly. They only way to allow user-supplied scripts nowadays is via some sort of virtualisation scheme with solid sandboxing. Even then, poor coding can gobble up heaps of resources needlessly. cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
On Mon, Jun 02, 2008, Rick Welykochy wrote: Daniel Pittman wrote: [2] formmail. I say no more. The perl language has been pretty bullet proof. I do recall one string-based exploit in the many many years I have been using it. Shit code can be written on all platforms. That said, yup, scripts like formmail are written by monkeys in the 11th level hell and sent to torment sys admins. I was running an ISP and in my early days I stupidly allowed some customers to upload their own perl CGI scripts to our (only) main web server. After watching the machine being brought down to its knees due to inexperienced coding (don't ask) I learnt my lesson very quickly. They only way to allow user-supplied scripts nowadays is via some sort of virtualisation scheme with solid sandboxing. Even then, poor coding can gobble up heaps of resources needlessly. The trouble is that the entry barrier for coding is so low, you can code without any clue. Adrian -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
Adrian Chadd wrote: The trouble is that the entry barrier for coding is so low, you can code without any clue. This very issue gave rise to some heated debate over on the LINK mailing list, which some of you attend. Many of us computer professionals were peeved by this low barrier to entry into the software industry. Computer software creation is not a certified profession like engineering. There are far toomany shiesters out there peddling crap software because they can. This gives rise to many many problems in IT. But, enough said. Yup, you can code up crap in any language. Especially INTERCAL! cheers rickw -- Rick Welykochy || Praxis Services || Internet Driving Instructor The user's going to pick dancing pigs over security every time. -- Bruce Schneier -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
