Interview with Bob Toxen

[InfoSec News <isn () c4i org>]

http://www.net-security.org/article.php?id=309

[Real World Linux Security 2/e by Bob Toxen is available at Amazon.com 
for $34.99 - http://www.amazon.com/exec/obidos/ASIN/0130464562/c4iorg ]


by Mirko Zorz 
16 December 2002

1. Who is Bob Toxen?

I am cut from standard geek material. I love science fiction,
especially Star Trek. From the time I was 14 I was hooked on
computers. I was introduced to them with the APL language on the
mighty IBM 360/91 at IBM's T.J. Watson Research Lab where my father
was a research physicist.

I have lots of electronic toys and have more computers in my house
than I can count -- all running exclusively Linux. I love music,
especially Gothic, Industrial, and Blues. I dabble in high voltage,
pyrotechnics, and holography. For more excitement, I fly my plane, a
Piper Arrow, around the Eastern United States and Canada.

At Berkeley we competed for who had the best program, with the most
features, most resistance to bad data, was written in the best style,
and which ran the fastest. This was good practice for being a
programmer and later for doing computer security. This obsession for
quality seems universal among Linux developers and lacking in some
proprietary software systems.

I was one of the four programmers who ported Unix to the Silicon
Graphics hardware for them. Later, I wrote a NFS server for Stratus'
non-Unix operating system, debugging it with a LAN analyzer. I wrote
several more network servers, one to track Space Shuttle payload data
for NASA. This was good training for network security as I learned
protocols down to the bit level. It enabled me to understand
vulnerabilities and defenses down to this level too.


How did you gain interest in computer security?

I was a sophomore at the University of California, Berkeley in 1975
when lots of exciting Unix work was being done. Unfortunately,
undergraduates were not allowed to do Unix research at this public
taxpayer-funded university by "the powers that be". Myself and a few
friends solved this by breaking into the Unix system and conducting
research without permission. Despite the best efforts of the
SysAdmins, we did this for about three years straight until we
finished school and headed for the salt mines of Silicon Valley.

One of my original ideas was hacking the kernel so that instead of the
erase character being a "#" character, erasing would generate the now
universal backspace-space-backspace sequence to obliterate the now
erased character. I did the same for line erase, replacing the "@"  
character with however many backspace-space-backspace sequences were
needed to erase the entire line on the screen. Doug Merritt helped
with this work.

I created the "lock" program to lock a terminal as a convenience over
logging out to maintain security. I started enhancing the Unix Version
6 shell before Bill Joy started on csh and Dr. Bourne did the Bourne
Shell. Doug Merritt added vi-like editing to the shell. All of these
things now are universal on Unix, Linux, and even Windows but we came
up with the ideas.

Our interest in security was to stay in control of the system to make
improvements to it as well as the technical challenge. We never
damaged anyone's data though the SysAdmins spent lots of time to try
to get us out. They never caught Doug, Ross, or I, however hard they
tried.

It was wrong for us to do this without permission and, instead, we
should have found a sympathetic professor to arrange for us to get
legitimate access. One of us (not the three named above) was arrested,
spent a night in jail, and had to fight to avoid conviction due to our
activities. This was my only less than white hat activity.


What are your favourite security tools and why?

IP Chains/IP Tables
This is the "Killer App" that allowed Linux to be a good 
Enterprise-class firewall. I find it far easier to configure than 
Cisco's Pix, cheaper, and more versatile; IP Tables offers all of the 
features that most organizations need.

I wrote 60 pages on IP Tables in RWLS 2/e that includes "Tips and 
Techniques" for easy rule set creation and debugging, a detailed 
comparison of IP Tables with IP Chains, and complete IP Tables scripts 
for SOHO and medium organizations that want a DMZ.

Logcheck (my enhanced version)
Logcheck takes the tedium out of properly checking your systems' log 
files for attacks and illness. I find it better than other tools, such 
as LogWatch, that either do not catch enough problems or do not 
discard unimportant events. I recommend that anyone running LogWatch 
immediately replace it with Logcheck.

My enhancements including fitting each IP Chains/IP Tables entry on a 
single line, being able to page the System Administrator for major 
problems, and not repeating "Attack" entries in the "Violations" 
section and not repeating "Violation" entries in the "Unusual" 
section. This encourages one to read all sections, knowing that it 
does not contain repeated data.

This version is on the CD-ROM that comes with the book and has been 
submitted back to Logcheck's original author.

My own Adaptive Firewall
It runs on top of IP Chains/Tables ("The Cracker Trap"). It locks an 
attacking system out of one's network within a fraction of a second.

Nmap
Fyodor's wonderful tool allows a thorough analysis of a firewall, 
network, or system very quickly and easily. Both SysAdmins and 
crackers use it daily. I even use it to see if an e-commerce site has 
made an effort to harden its server before I trust it with my credit 
card number.

Arpwatch (my enhanced version)
This wonderful tool allows the SysAdmin to know when someone connects 
a new system to the network or changes the IP address of an existing 
system within seconds. This is critical to ensure that users do not 
install "rogue" systems without authorization.

It also is useful to detect if any systems become compromised. In the 
latter case, the better crackers will change the system's IP address 
to an unused one to make it harder to track down which system was 
compromised. With Arpwatch, one will know which system was changed 
unless the cracker changes both the IP address and MAC address 
simultaneously. In this latter case one still will know that a rogue 
system has appeared suddenly.

Arpwatch was created by Craig Leres of Lawrence Berkeley Labs and I 
have enhanced it extensively to be more useful for large networks with 
multiple subnets and to properly detect bogons. Bogons are systems 
whose IP address is incorrect for the network that they are on. Bogons 
indicate systems that are incorrectly configured or compromised.

Ethereal
This wonderful program allows fast real-time analysis of packets 
traversing a system or network. It allows localizing a network or 
firewall problem, verifying that a VPN actually is encrypting its 
data, etc.


How long did it take you to write "Real World Linux Security, 2/e" and 
what was it like?

It took about three months of 90-hour weeks to finish the manuscript 
and a few months of "normal weeks" for the post-manuscript production 
to produce the finished book. This was on top of about six months of 
120-hour weeks to create the manuscript for the first edition and 
three months for production.

What was it like? Pure hell. I worked mostly at night because I am 
more creative then and there were no interruptions for email or phone 
calls. My friends thought I abandoned them because they never saw me 
and I kept sending my girlfriend away for weekends, camping, to visit 
her mother in Washington, DC, and elsewhere. My good friend, Stan 
Bootle calls it "Writer's Widow".

I slept very little. I did just enough for my clients so that they did 
not find someone else to help them. This obsession resulted in a much 
better book. I saw my contribution to Linux and Open Source was to 
help secure it. While Linux (and Unix) is capable of very good 
security, people did not know how. With my knowledge of security and 
some ability to write I saw this as my greatest contribution to Open 
Source. The book also is very useful to Unix System Administrators.


What's your take on the adoption of Linux in the enterprise? Do you 
think it will give a boost to security?

Linux continues to "Eat Bill's lunch" and that of the Unix vendors. 
With the desktop work that has been done recently and several 
Distributions' work for easier installs, Linux is ready to take over 
the desktop market too. I think that the poor economy internationally 
has helped Linux.

Any old PC can run Linux quickly for no money and troublefree 
operation. The latter means far less support costs. Microsoft just 
announced that it no longer will support its flagship Office for 
previous Windows versions, to "force" people to buy its new stuff; I 
think many will switch to Linux instead.

SuSE just announced its Open Exchange product. There are several Open 
Source Linux-based clients for MS Exchange. Almost everyone has heard 
of Linux now. IBM advertises it on television. Non-geek friends want 
to try it.


What do you think about the full disclosure of vulnerabilities?

Full disclosure of vulnerabilities forces vendors to fix their 
security problems quickly and it counteracts the lies of insecure 
vendors that their software is secure. This seems to be why Microsoft 
is lobbying the U.S. government to outlaw full disclosure and 
Hewlett-Packard (HP) is trying to imprison someone under DMCA who 
disclosed HP vulnerabilities. It was disclosed only after HP refused 
to acknowledge the problem or repair it.


What are your future plans? Any exciting new projects?

Since finishing the book two months ago, I have created a Linux-based 
Enterprise-class Virus filter and Spam filter and installed them at 
various clients. I am finishing an article on a novel way to trace 
Distributed Denial of Service (DDoS) attacks so that they may be 
stopped much faster. I am growing my network security consulting 
business.


What is your vision for Linux in the future?

Linux will replace Windows and Unix as the universal operating system 
for everything from embedded systems and PDAs to the biggest systems. 
Linux's Open Source nature and the peer pressure from its users will 
prevent Microsoft, IBM, or anyone else from forcing people to use 
inferior proprietary software again.

More governments will join China, France, and Mexico in officially 
preferring Linux over Microsoft for its better quality and lower cost 
of ownership. There is a Chinese edition of Real World Linux Security 
from China Machine Press.

People will have personal lives again rather than having to reinstall 
their Windows systems or retype their documents every weekend 
following crashes.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.