RE: Worms, Air Gaps and Responsibility

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 11 May 2004, Mark Gumennik wrote:

> What happened to the freedom of speech (opinions?). Personal humiliation is

When it's represented as fast, it gets attacked by other speech.  You
didn't say "I think..."

Let's look:

" And instead of getting 5 people per 1000 users (whatever the standard is
right now) we will have to hire 25."

Strong assertion, no rationale, no backup data- not even marketing
numbers...

Then you said:

"Read any serious info , like from bagtrack, LINUX had more
vulnerabilities for the past 3 years than any given MS OS"

Well, I happen to have actually *looked* at vulnerabilities in Linux, and
I've proofread, analyzed and commented on both them, and studies about
them, as well as the Microsoft ones.

For instance, some study data I have for a market research firm from June,
2002 through May, 2003 shows a total of 480 vulnerabilities, including CVE
and Bugtraq numbers where appropriate.  137 of these are listed as
"Microsoft" vulnerabilities- while all the cross-platform ones, like PHP
are listed as Linux vulnerabilities.  The "Linux" ones include Fax
packages, documentation archiving and creation packages, Web proxies,
IPSec implementations, bug tracking systems, instant messenger programs,
mail transfer agents, programming languages, network diagnostic utilities,
databases, and games.

Here's a sample of a "High" severity "Linux" vulnerability:

CAN-2002-1307 mhonarc Cross-site scripting vulnerability (XSS) in MHonArc
2.5.12 and earlier allows remote attackers to insert script or HTML via an
email message with the script in a MIME header name.

Whee, an XSS attack against a specific Web archiving package- yeah, that'
so balances out Sasser.

So, can you substantiate your claim?  Better yet, want to look not just at
vulnerabilities, but risk, and quantify the cost of those vulnerabilities
to the average organization over that same period?

[snip]

> * ...that you've left out NIS/NIS+, LDAP, Radius and Kerberos suggests to me
> that you're not very familiar with what's availible for AAA under Linux.
> -----I have done a good deal of administering firewalls, desktops, routers,
> email, remote access (everything you mentioned plus TACACS and Ace), never
> administered NIS, thanks GD. From http://www.linux-nis.org: "Linux machines
> ..can also act as full NIS+ clients, this support is in beta stage." Does
> this look like mature technology? Is it scalable? Is it stable? Running LDAP

NIS+ support in Linux is likely older than AD support- given the changes
the last round of patches (you know, the one that fixed Sasser made to AD
authentication, mature and stable isn't exactly what I'd be throwing
around.

> is mostly good for user lookup; Radius is a great tool for remote user
> administration. You forgot to mention more user databases: e-mail, printers,
> group permissions, share permissions, and more. Now you have half a dozen
> different databases which need to have connectors between them (oh, btw you
> have to customize some of the connectors and code the others, AND you have
> to administer them, so you need much more administrators and programmers, go

You keep missing the fact that you don't need more administrators- the
ones you're calling names work just fine.  Once again, you ignore (a)_ the
fact that you can choose whichever technology is most suitable *including*
AD/domain stuff, and (b) you can script 99% of the stuff quickly *once* if
you can't already find someone who's already done it.

> IS!). You now have to enforce password policies on all of them. After that
> you obviously suspect the users to change their 25 letter passwords every
> month and on all (5) databases. The result: you end up with for-life
> passwords for e-mail, LDAP, network shares, and secure intranets. The fact
> that they are carried by Kerberos becomes almost irrelevant once they
> compromised

Funnily enough, everyone I know who's done this hasn't had this problem.
Maybe your experience isn't as relevant to analyzing these technologies
as you believe?

> So how do we synchronize the user names / passwords? X-500 (and X-400
> connector) comes to mind (btw originated in Swiss, not US). The fact that

Uh oh!  Those Swiss people keep doing that World Wide Web thing too, with
some Brit guy- we should definitely watch out for that!

> you did not mention such important topic suggests to me that you're not very
> familiar with the process of user support and the X-500 technologies (sorry,
> I'm using your methods / terminology).

Maybe it's because nobody uses x.500 to do what you suggest?

> Hence: AD and NDS. They do scale, they are stable and they provide much more
> than X-500 (statement)

So use Samba do do it all- it runs just fine on Linux.

> -----Years ago I developed a formula for successful network administration
> (when I was actually doing it): The fact that you CAN do it does not mean
> that you WILL do it. For example you can use a 300-line ACL on your internal
> router, it will work just fine for security, but you will kill your backbone
> (I do have some actual data from last year experimentation). Can you use

I've had to deal with routers with 300-line ACLs that didn't kill
backbones, it's all about the ordering and traffic patterns.

> Linux on a desktop? - yes; will you? - need real numbers, not the ones that
> come from rad Hat

What do you mean real numbers?  Most of the other people in this
discussion *use* Linux on the desktop- some of them might even work at
companies where it's a common practice.

> * That aside, if you're trying to suggest that government and corporate
> sponsorship is somehow putting malicious code in Linux, you should also
> suggest the same of Microsoft and Novell - and any number of other
> entities.  While you're at it - do audit the windows source code.
> -----I have no doubt that ALL of them put some kind of backdoors in the
> software. The degree of responsibility is different (and the amount of
> potential lawsuit money).

You'd do well to take a copy of the Windows license agreement to an
attorney and get a real legal opinion on that "potential lawsuit money."

For all the looking at the code done by at least a few competent people,
nobody seems to have found a government sponsored back door in the Linux
source code.

> *Can't handle AAA on Linux
> ---Did I say it? - very convenient substitution again. I said it takes much
> more effort to handle AAA in .nix environment on a desktop, that's why NDS
> and AD. And they are not free even on Linux

Nobody said they had to be free (hmmm, our crops should be safe!)- heck- I
wouldn't recommend it, but you could even run a Windows AD server with
Linux desktops.

[snip]

> Paul D. Robertson
> * Now, the real point (since you obviously missed it) that everyone was
> making in regards to your original argument about vulnerabilities is that
> Linux only looks bad when you count all the silly things that nobody sane
> would install on a corporate desktop.  Trying to turn that from "more
> vulnerabilities on bugtrack (sic) to "equal" is disingenious when you're
> trying to stand behind a point, since I already said "about equal." ..I
> don't need to open RPC to anything other than loopback for Linux on the
> desktop (and rarely even
> there.)  In fact, I tend to turn *off* more things than I turn *on* for a
> Linux machine when I'm configuring it from a default install.
> Furthermore, I'm capable of running almost all services at a priv. level
> less than local administrator- which doesn't make the vulns equivalent.
>
> ----Do you consider yourself an average user?

You put in administrators, now you're going to let the users configure
their own desktops?  Please- let's try for some consistency!

It takes a complete newbie about 20 minutes to configure a Linux machine
to the same standard I do assuming they can use a text editor and have
administrative permissions.  That's a one-time thing- and if they want to
understand the process- it's faster if you just do it, and it'd be all of
25 minutes to script the whole thing.

> ---Sorry to inform you that under MS environment if you only give your users
> "User" rights instead of "local Admin" you don't need to bother about 99% of
> vulnerabilities of the OS  since they (and a Joe Hacker) can not install any

Um no- that'd be for _application_ vulnerabilities, for MS, the browser is
in the OS- you get the OS vulns anyway, see Sasser, Slammer, et al.

FWIW, you don't have to give Linux users administrative rights either.

> new code. You can run your patches under "run as" identity starting with
> w2k. I have done it during my consulting years and it worked even under NT.
> Also you probably are missing the point that users today want reach desktop.

Just because they want it doesn't mean they automatically get it, it's
dependent on a company's security policy, risk assessment and culture.

> You can (and shall) take it away in a bank environment, but not in a general
> office, like their ability to point and click on the network (vs. ftp from a
> command line?).

There are *lots* of GUI FTP clients for Linux- and guess what?  Browsers
still do point and drool FTP too!

> ----Slightly off topic but close: I've been watching RH to prepare an attack
> on the free software community for a long time and finally one more evil
> empire was born. Bow. Obey. Base your calculations on their "corporate"
> prices. Good boy.

Oh joy!  Another strawman- this is scarecrow alley!  With MS, you have
*no* choice!  With Linux, you can switch to Debian, SuSE, White Box,
Immunix, EnGarde, Turbo, YellowDog, or any of a dozen or so others- many
of them Linux Standards Base complaint to make for easy cutover!

> *Since AD is based upon Kerberos for its default primary
> authentication mechanism, I don't see how you come to the conclusion that
> AD is any more "built-in FOR THE DESKTOPS" than Kerberos. Nice use of
> caps - NOT! Lose the baggage and bring some facts, ok?
> ----fact: you need to administer Kerberos in .nix environment. fact: You
> don't need to administer it in MS environment. Read the last statement
> twice.

Fact: You need to worry about AV in an MS environment, you can take the
money you spend on AV, switch it to some policy enforcement and Kerberos
admin if you'd like and still come out ahead.

> To the list: A couple of years ago I tried to sniff the difference between
> Kerb v.5 and MS and could not come up with meaningful data (did not have
> time). Anybody has more info?

MS sends pre-auth info during login, RC4 is the default instead of DES, MS
uses SIDs in its authorization data, DNS is required, MS caches the
password for ticket renewal - a few other things, nothing too major.

> Ron DuFresne:
> the German government now directs linux security?  you do have pointers to
> this to backup such a claim?
>
> -----"Sponsors" not "directs", and I said governments (plural) which you
> somehow dropped. From today's Goggle:
> http://www.heise.de/newsticker/meldung/6918
> http://news.osdir.com/article149.html
> http://www.linux-kongress.org/helpus.html
> http://news.com.com/2104-1001_3-983204.html
> http://www.linuxsecurity.com.br/sections.php?op=imprime&artid=2

You know, in Linux, as with most Unicies, we have this neat little tool
called "diff"- it's really, really useful for figuring out what someone
added to the source code- once again, how, pray tell, do you validate your
graphics card driver under Windows?

> Devdas Bhagat
> With a Linux/Unix desktop running X and remote applications, the real
> requirements come down from 100 desktops to ten beefier boxes
> ----do you propose to give 10 boxes instead of 100 to 100 users? - back to
> mainframe? - again confusing the issues of security devices (servers) OS (MS
> is a no-no) and the desktop infrastructure. AAA at the perimeter is still
> different from the AAA at the desktop.

That depends on the organization's requirements.  Lots of places who've
either recently switched to, or are in the middle of planning a switch to
Linux desktops seem to not need as much "groupthink" services, probably
because they're not trying to apply a hammer to unscrew a screw- it's oft
said that when all you have is a hammer, everything looks like a nail.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards