Vulnerability Development mailing list archives
Re: The NSA's Security-Enhanced Linux
From: "Jeffrey W. Thompson" <thompson () ARGUS-SYSTEMS COM>
Date: Tue, 9 Jan 2001 10:44:55 -0600
Scott, As you may well know, I'd love to see you do this! I of course would be more than happy to help you in any way I can (or get other people here at Argus to do so! :) ). I also, wanted to mail out to VULN-DEV to let people know of two very soon upcoming things: The first is that Argus will be doing OpenHack III with eWeek starting the 15th of this month. I think it is 50K US that we are putting up for the contest and prizes will be given out for completing various hacks on the systems. We will have four systems set up mimicing a simple ISP setup in a "real" world fashion. We will perform all administration remotely, and will have lots of services available for people to attack. System 1) Shell server that people will be able to log into directly. This server will be running httpd, sshd, ftpd, telnetd. Users will also be able to retrieve ISP email from this system via IMAPD or POPD to the DNS/Mail Server. This system will be running on a Netra with Solaris 7 and Argus PitBull Foundation. A successful attack on this system is to place a file in /. System 2) DNS/Mail server. This system will expose DNS, sendmail, popd, imapd, and sshd (for administration). This system will be running on a new as of yet unreleased product called PitBull LX. This system will be running RedHat 6.2. I am personally very excited to see this system in action, as it is an entirely new technology that we have developed. A successful attack on this system is to add an entry into the openhack.com DNS configuration file. System 3) Appliance co-hosting system. This system will host two different web sites for ISP customers. An account will be given out on this system and the goal on this system will be to modify one of the two web sites. This system will be running Solaris 7 x86 with the Argus Secure Web Appliance running on top of it. This is also an as of yet unreleased product. We will be announcing it officially at the end of the month. System 4) A e-commerce system. This system is considered to be a co-located server at the ISP for one of its customers. It will be running AIX with PitBull .comPack. A successful attack on this system will be to penetrate the system and retrieve a passphrase from a table in the database running on the system. We will have more complete details available during the contest for each of the systems, and will also have a mail alias and most likely have an irc channel set up as well for ongoing discussion. Also, Argus has a flash add on the web at www.argus-systems.com/champ/ if you would like to see it. The second item I wanted to mention is that we will be releasing the new PitBull LX product on January 31st at Linux World. We will also be making PitBull LX available under the Argus Revolution program for free individual non-commercial use. I'll of course be very interested to hear people's feedback about LX after we release it. I hope that all of you get a chance to go after the OpenHack systems and have a good time while doing it! While clearly these contests do nothing to demonstrate "absolute" security, I still think that they serve some very good purposes if done right: 1) Allow people to attack and see a realistically secured architecture and gain a better understanding of how products/technologies can be used (or sometimes how they shouldn't be used). 2) Raise general awareness of security and security technologies 3) Give people a hopefully fun as well as educational experience 4) And the possibility of winning a little money isn't all that bad. Cheers and best of luck! Jeff Jeff Thompson Software Evangelist and Visionary Senior Security Analyst Argus Systems Group, Inc. "Scott D. Yelich" wrote:
On Wed, 27 Dec 2000, Neal Dias wrote:Once again I would just say I'm pleased to see that the NSA decided to make this available, it's certainly added another facet to an already interesting OS. And while not everyone out there likes Linux or finds it interesting, those of us who do, can be appreciative of the hard work the NSA guys put into this project. Speaking of those guys, we've been bandying this about, anyone out there that's involved in the project care to address any of this?I have a couple of spare PCs sitting 'round. How 'bout I put up a copy of this on nsa.spy.org and give people free run of the system? *grin* :-) Scott ps: it's good to see a "real" discussion on a mailing list and not a lot of name-calling and fluff. pps: I have an 8 processor sparc I've been meaning to open up with Pitbull. These could be nice playgrounds.