Re: Linux snares security tool

[InfoSec News <isn () c4i org>]

Forwarded from: Eric Lee Green <eric () badtux org>
Cc: jerico () attrition org, nicole.bellamy () zdnet com

On Friday 09 November 2001 01:57 am, InfoSec News wrote:
> Forwarded from: security curmudgeon <jericho () attrition org>
> cc: nicole.bellamy () zdnet com au, errata submission <errata () attrition org>
>
> > http://www.zdnet.com/zdnn/stories/news/0,4586,2822782,00.html
> >
> > By Nicole Bellamy
> > ZDNet Australia

[press release masquerading as news] 

> > November 6, 2001 5:46 PM PT
> >
> > InterSect Alliance says it has developed the first integrated security
> > auditing and event logging subsystem for the open source Linux operating
> > system, beating much larger organizations to the punch.

> Oh, so now its an IDS for Linux, and the first?
>
> So i guess LIDS (www.lids.org) doesn't count?
>
> And of course Marty over at Snort must be horribly disappointed by
> this revelation. (www.snort.org)
>
> And damn, the folks from Tripwire must be sawing at their wrists too.
> Tripwire was opensource and running on Linux when.. 1992 or 1993?

Sigh. Jericho, I must thank you for writing the rebuttal that I felt
like writing when I first saw this press release masquerading as news.
I suppressed my urge to respond because if I responded to every
clueless reporter out there I would have no time to do my real job
(writing clustering software at the moment, though I have done
security engineering in the past), but that was before I read Ms.
Bellamy's extremely unprofessional response to a previous criticism.

I have not in any way done any in-depth study of SNARE, since I am not
its target market, but from reading a brief description, SNARE appears
to be a useful tool, in that it apparently adds a user-friendly
interface to already-existing intrusion detection tools such as SNORT
and Tripwire (or perhaps their own re-implementations of those
already-existing tools).  However, it adds no new functionality to the
Linux security world. Those of us who have been involved in Linux and
Linux security for some time(my experience in the Linux world dates to
1995, and my first use of Unix was in 1985) will most probably not be
in the target market for SNARE. We're already running arpwatch, snort,
logwatch, tripwire, portwatch, Big Brother, etc. as well as
(sometimes) our own home-brew software for intrusion detection. Some
of us are even running the BSD accounting tools to look for suspicious
commands as they are typed into the system, and EMAIL said reports to
an outside address.

An interesting and informative article could have been written
starting with the above premise (i.e. that SNARE brings security out
of the realm of security geeks into the realm of easy use by mere
mortals). Unfortunately, such an article was not written. Frankly, if
Ms. Bellamy consulted any "experts", they must have been a couple of
pimply-faced kids at her local computer club, or marketroids at local
computer "research" firms, rather than real Linux security experts
(that is, people who have actually secured Linux systems).

> > The two systems differ in that while a network-based intrusion
> > detection tool enables the user to determine when an intrusion is
> > being attempted, the host-based system allows the user to identify
> > when an intrusion has been successful.
>
> Ok so we make the qualifiation of NIDS vs HIDS here, and that explains
> Tripwire how?

(snort!) Not to mention "logwatch" (which watches the log file for
suspicious entries and reports them), or the BSD accounting tools,
which can be programmed to report suspicious commands being typed in
by users with a few lines of shell scripting and gratuitous grep
abuse.

> > The Snare auditing subsystem is designed to "enhance an
> > organizations ability to detect suspicious activity by monitoring
> > system and user actions", as stated in its release report.
>
> /yawn
>
> This is old news in the IDS field. Also old news in the Linux IDS
> field.

Old news in the Unix IDS world, for that matter. My system
administrator at college used many of these same mechanisms -- in
1985! (Particularly the BSD process accounting tools, which were used
to detect student's attempts to abuse the system... there were some
rather surprised students who had their passwords locked out by the
admins after attempting to bypass system security).

> > While working on similar tools for other operating systems, such as
> > Sun's Solaris and Microsoft's Windows NT--all of which contained an
> > audit collection subsystem--the company realized the lack of this
> > feature in Linux, and "thought something was missing," according to
> > Purdie.
>
> Err, perhaps I am just out of the loop here, but what does Sun/Solaris
> offer natively that Linux doesn't in the way of "audit collection
> subsystems"? I haven't kept up with Solaris after 2.6 really but I
> just don't see it offering that much more.

Basically, Solaris has a nice user interface to the underlying Sys V.4
tools that provide the same basic functionality as the BSD process
accounting tools used under Linux. You can produce pretty reports and
graphs and such, if I recall correctly (it's been six months or so
since I last touched a Solaris system). I believe they may even
publish some of these via SNMP so that network monitoring tools such
as Big Brother or CA Unicenter can monitor them. In any event, it is
clear that we're talking about a user interface difference, rather
than a functional difference. An article could be written about the
importance of user interface and how it affects perceptions of
operating systems, but such an article was not written.

> Gah. It is clear to me that this is a total fluff piece that could
> pass for a press release with a few minor changes. No background was
> done, no experts consulted. 

It appears that her "expert" was a local "research" outfit (basically,
the Aussie equivalent of IDG), rather than someone who has actually
secured Linux systems. It appears that she did not do a basic web
search to look for other Linux security systems and attempt to contact
any of those other authors "on background" to verify that her tame
talking mouthpiece at SNARE was spewing real info rather than
marketing BS. It appears that she never went to
http://www.linuxsecurity.com and clicked on the links there about
other security products for Linux. Frankly, I was taught better in
high school journalism class.

> Oh, any insipid legal threats from Nicole Bellamy will be published
> along with this errata. Since that seems to be her trend based on
> talking to others. (For the ISN crowd: she has threatened to sick her
> pet lawyers on someone who works in the open source community for
> telling her this article was full of shit.)

That sort of behavior is EXTREMELY unprofessional. You do not threaten
to sue potential sources for future stories. And if someone offers you
information, you accept it with a polite "thank you for your
comments", even if the offer is in a rather, err, rude, manner.
Frankly, I knew better than that when I was a 19 year old kid writing
a computer club newsletter column.

I've had my own run-ins with journalists in the past when I felt I was
misquoted or that they misconstrued something about Linux, but at
worst we agreed to disagree. I cannot imagine any situation where
threatening to sue a critic is productive behavior for a journalist.
After all, journalists have resort to the ultimate court: the court of
public opinion, in which they have the capability of "stacking the
deck" so to speak via the power of the pen.

Do note, however, that Australia has very anti-free-speech libel laws.  
Basically, if you say anything critical of a person in Australia, you
must be able to prove what you say beyond reasonable doubt. This is of
course the total opposite of the United States, where the person suing
for libel has the burden of proof, thus allowing greater freedom of
speech. However, I have no intention to go anywhere near Australia
(and in fact I suspect they would deny me a visa, due to my public
criticisms of Aussie PM John Howard's bigotry and poor treatment of
non-whites), so I don't care what Aussie law says.

Eric Lee Green          GnuPG public key at http://badtux.org/eric/eric.gpg
           mailto:eric () badtux org  Web: http://www.badtux.org



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.