Re: Linux snares security tool

[InfoSec News <isn () c4i org>]

Forwarded from: "Ejovi B. Nuwere" <ejovi () ejovi net>

From: "Nicole Bellamy" <nicole.bellamy () zdnet com au>
Cc: "George Cora" <george.cora () intersectalliance com>,
   "Leigh Purdie" <Leigh.Purdie () intersectalliance com>

Ejovi.

As promised in my initial e-mail, I have looked into this matter and
spoken with experts who actually have day-to-day experience and
working knowledge of Linux and in particular, Linux security. They
have advised me to rework my article slightly to include reference to
C2-compliance--which is the most distinguishing factor of the new
tool. I have run a proof by them and they are happy with the
amendments, which I will be posting on our site now.

Although I strongly disagree with your personal attacks against me,
that is another matter and one which will be addressed --especially
due to the fact that you have yet to remove or apologise for your
slanderous comments.

As for the infosec news list readers you have approached, please pass
on to them my sincere thanks for their feedback and the notice of my
amendment. It is interesting to note that in a community such as
Linux, which is fighting daily against oppression from proprietary
systems, members of this community would personally and professionally
attack any journalist that gives weight to their fight, and attempts
to expose brilliance in the ranks, rather than mistakes and
vulnerabilities.

It is surprising that such a community is not applauding its members
who are attempting to make a difference rather than shooting down the
messengers.

By the way, if you intend to post this on your site, please feel free
to use the entire e-mail this time, rather than just chosen excerpts.
Also, my comments related to this story are my own, during initial
e-mails and the follow-up since.

Thanks again and regards.

Nicole



----- Original Message -----
From: "Ejovi B. Nuwere" <ejovi () ejovi net>
To: "Leigh Purdie" <Leigh.Purdie () intersectalliance com>
Cc: "Nicole Bellamy" <nicole.bellamy () zdnet com au>; "George Cora"
<george.cora () intersectalliance com>
Sent: Saturday, November 10, 2001 8:14 AM
Subject: Re: No Subject


> Thanks for the response Leigh,
>
> As a security professional, you too must admit this article is
> misleading. Statements such as "InterSect Alliance says it has
> developed the first integrated security auditing and event..."
> alone is not true. The first C2 open source compliant product?
> Well that may be true. Since there arent many C2 compliant
> products out there, commercial or open source.
>
> I'd be willing to give you the benefit of the doubt. But this
> article states you are the first host based IDS for linux. Which
> is not true. And I've received several responses to my original
> email sent to ISN, Internet Security News, all of which agree with
> my opinion. So we will have to agree to disagree on this one.
>
> Respectfuly
>
> ejovi
>
>
> On Fri, Nov 09, 2001 at 03:11:46PM +1100, Leigh Purdie wrote:
> > G'day Ejovi,
> >
> > Thanks for the comments below, hopefully I can answer your questions to
> > your satisfaction.
> >
> > Many security tools have been available for Linux for a long time now,
> > often being recompiled from applications developed for generic Unix
> > systems.
> >
> > I've been a user of applications like tripwire, tcp wrappers, for a long
> > time now. I think I first used tripwire in the early 1990s. I often
> > encounter confusion from people as to the purposes of such tools.
> >
> > Many people, for example, feel that once a firewall is in place, a
> > system is protected. You an I both know that it takes a large amount of
> > network, host, and procedural security controls to make a site truely
> > secure (and even then, there are still risks!). Just like you wouldn't
> > call tripwire a firewall, nor is it similar to SNARE.
> >
> > Tripwire fills a void in security by providing an administrator with
> > notification when a file is modified/added/changes permissions etc.
> >
> > LIDS fills another void by implementing mandatory access controls in the
> > kernel and providing enhanced access control.
> >
> > However, one thing that Linux has been lacking for a long time now, is
> > the "C2 style" user auditing capability. This is the role that SNARE
> > fills. Many other operating systems, such as NT or Solaris, incorporate
> > this feature, and many government departments refuse to install Linux,
> > because there is no auditing capability.
> >
> > Having worked in an organisation like the Defence Signals Directorate
> > (very much like the US National Security Agency (NSA)), I know the
> > importance of security standards, and the reluctance of government to
> > install hardware or software that does not meet certain standards.
> > Hopefully, SNARE is a step in the direction of ensuring Linux meets
> > those standards, and is able to be used more by government agencies, and
> > large organisations that need to meet government standards.
> >
> > ZDNet seem to me, to be a very careful and capable news agency that are
> > committed to correctly and accurately reporting a story. Nicole made
> > sure that she undertook a comprehensive interview before releasing the
> > story, and although no reporter can report verbatim what was discussed,
> > I think the story is a fair and accurate reflection of SNARE's role in
> > Linux.
> >
> > As such, if you believe that SNARE is of poor quality for an open source
> > release, or you feel as though the capabilities are overstated, then
> > please feel free to discuss it with us further. Drop me or George an
> > email, or call us on the number available from the contact page.
> > However, I don't think it's appropriate to accuse ZDNet of anything
> > untoward.
> >
> > Some comments we have received from other users relating to SNARE might
> > assist in reassuring you that the story was accurate:
> >
> > Daniel Swan, maintainer of the comp.os.linux.security frequently asked
> > questions document:
> > "Leigh, this looks quite impressive.  I will be happy to include it in
> > the FAQ.   I will be releasing another version in a couple of weeks, so
> > look for your product's inclusion then. I also look forward to trying it
> > out myself."
> >
> > Martin Heerling, germany:
> > "First I want to congratulate to snare - I was quite amazed about it.
> > I like the "Objectives" approach with specifying patterns or regexps.
> > That's definately cool."
> >
> > GuardianDigital, sellers of the Engarde linux distribution:
> > "This is very interesting. .. Perhaps you'd be interested in working
> > together in some capacity."
> >
> > Lance, USA:
> > "Hello,
> > This has got to be one of the most awesome utilities (SNARE) I've seen
> > in Linux yet.  Congratulations on the GREAT work done by you guys.  So
> > much information given, wow...what an improvement over other logging
> > utilities...."
> >
> > > From a government source:
> > "Truth be told, SNARE looks like it could possibly overcome the last
> > major hurdle to the 'legal' adoption of Linux in the U.S.
> > military/government structure.  While it's already endemic throughout
> > the Department of Defense, there is a bit of a backlash coming due to
> > the number of incidents coming in, and the lack of hard auditing data
> > to help track down the miscreants."
> >
> > Regards,
> >
> > Leigh.
> >
> >
> > On Fri, 2001-11-09 at 09:57, Ejovi B. Nuwere wrote:
> > > Bcc:
> > > Subject: Re: [ISN] Linux snares security tool
> > > Reply-To:
> > > In-Reply-To: <00d301c168a8$f92c29a0$b2e90ccb () zdnet com au>; from
nicole.bellamy () zdnet com au on Fri, Nov 09, 2001 at 09:59:08AM +1100
> > > Leigh Purdie, please tell me how your product differs from
> > > LIDS.
> > >
> > >
> > > On Fri, Nov 09, 2001 at 09:59:08AM +1100, Nicole Bellamy wrote:
> > > > Hi Ejovi.
> > > >
> > > > Thank you for your comments. ZDNet Australia values any feedback,
especially
> > > > when it relates to editorial quality, and/or accuracy. I have copied
in
> > > > Leigh Purdie, the CEO you mentioned, and an expert in Linux
security.
> > > > I consulted Linux 'experts' before going to print to check the
accuracy of
> > > > the article, which they did, and I am satisfied with responses I
received.
> > > > ZDNet Australia strives to provide an impartial, balanced view of
news in
> > > > the IT industry. As such, it is important to report on new
developments.
> > > > Often these are not controversial, and may seem to be complimentary
to the
> > > > company producing the technologies, this is not intended, nor
compensated in
> > > > any way. I personally have no affiliation with the company
mentioned, nor
> > > > the staff within it.
> > > >
> > > > However, I appreciate your comments and will endeavour to ensure the
> > > > validity of them. As we speak, I have contacted various Aust Linux
> > > > personalities to advise me on the accuracy of the claims you have
made. I am
> > > > sure you can understand the need to check facts and claims.
> > > >
> > > > Thanks again for your e-mail. Perhaps next time you have comments to
make
> > > > you could give me a call directly, and ascertain the accuracy of
your
> > > > comments.
> > > >
> > > > I hope I have assisted in whatever it is you hoped to achieve with
this
> > > > e-mail.
> > > >
> > > > Thanks and regards
> > > >
> > > >
> > > > ________________________________________________
> > > > Nicole Bellamy
> > > > News & Technology Producer
> > > > ZDNet Australia, a CNET Networks Company
> > > > PO Box 670  BROADWAY NSW 2007
> > > > Tel: +61 2 8514 9943   Fax: +61 2 9960 2953
> > > > http://www.zdnet.com.au  http://www.gamespot.com.au
> > > > _________________________________________________
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Ejovi B. Nuwere" <ejovi () ejovi net>
> > > > To: "InfoSec News" <isn () c4i org>
> > > > Cc: <nicole.bellamy () zdnet com au>
> > > > Sent: Friday, November 09, 2001 7:20 AM
> > > > Subject: Re: [ISN] Linux snares security tool
> > > >
> > > >
> > > > > Dear Nicole,
> > > > >
> > > > > Is this an article or jibberish? Jibberish or a press release
> > > > > poorly cloaked as a article? What exactly do you mean by
intergrated?
> > > > > Are you saying that all the major Linux distrubutions will include
this
> > > > > as part of their base system install?
> > > > >
> > > > > Or are you saying that it works on Linux? I'm confused. I suspect
you
> > > > > are too. Why did you not research the subject, if you had you
would have
> > > > > found tripwire (http://www.tripwire.org/) which has been around
and
> > > > > widely used for almost 10 years.
> > > > >
> > > > > What about quoting experts other then the company CEO? Either
you've
> > > > > been had, or need a refresher course in journlistic intergrity.
> > > > >
> > > > > Your friend,
> > > > > ejovi
> > > > >
> > > > >
> > > > > On Wed, Nov 07, 2001 at 03:35:07AM -0600, InfoSec News wrote:
> > > > > > http://www.zdnet.com/zdnn/stories/news/0,4586,2822782,00.html
> > > > > >
> > > > > > By Nicole Bellamy
> > > > > > ZDNet Australia
> > > > > > November 6, 2001 5:46 PM PT
> > > > > >
> > > > > > InterSect Alliance says it has developed the first integrated
security
> > > > > > auditing and event logging subsystem for the open source Linux
> > > > > > operating system, beating much larger organizations to the
punch.
> > > > > > Its new tool, Snare (System iNtrusion Analysis and Reporting
> > > > > > Environment) has been developed with a goal of reducing the cost
of
> > > > > > entry into system auditing and host-based intrusion detection
for
> > > > > > system managers, simplifying the process of configuration,
reducing
> > > > > > resource requirements and providing meaningful reporting to
end-users.
> > > > > > According to Leigh Purdie, director and principal security
consultant,
> > > > > > this is the first release of code for a host-based intrusion
detection
> > > > > > system, although there have been inroads made into the
development of
> > > > > > source code to address network-based intrusion detection.
> > > > > >
> > > > > > The two systems differ in that while a network-based intrusion
> > > > > > detection tool enables the user to determine when an intrusion
is
> > > > > > being attempted, the host-based system allows the user to
identify
> > > > > > when an intrusion has been successful.
> > > > > >
> > > > > > Purdie believes that the lack of the Snare code has hindered the
> > > > > > adoption of Linux into widespread use by organizations in
Australia.
> > > > > > By releasing Snare as open-source software, he hopes this will
"set
> > > > > > Linux on the path towards acceptance by organizations."
> > > > > >
> > > > > > The Snare auditing subsystem is designed to "enhance an
organizations
> > > > > > ability to detect suspicious activity by monitoring system and
user
> > > > > > actions", as stated in its release report.
> > > > > >
> > > > > > Given the current debate surrounding staff-monitoring, Purdie
was
> > > > > > quick to point out that InterSect Alliance is not responsible,
nor
> > > > > > accountable for, any privacy infringements occuring as a result
of
> > > > > > organizations using this system. However, the company does
intend to
> > > > > > provide privacy recommendations to organizations as a part of
its
> > > > > > training on the product.
> > > > > >
> > > > > > "Privacy is critical in a lot of institutions. When we provide
> > > > > > solutions we recommend one of the things they (organizations)
> > > > > > implement is staff contact; to let staff know what is happening,
why
> > > > > > it's happening, what data is being used for," said Purdie.
> > > > > >
> > > > > > Snare fills Linux security void
> > > > > >
> > > > > > The lack of integrated security features--perceived or
actual--has
> > > > > > long been a barrier to widespread Linux adoption.
> > > > > >
> > > > > > According to an InterSect Alliance report, "the lack of
host-based
> > > > > > intrusion detection in the form of an auditing system, has been
cited
> > > > > > in the past by organizations as a significant contributor to the
> > > > > > decision to choose alternative operating systems over Linux in
> > > > > > operational roles."
> > > > > >
> > > > > > InterSect Alliance decided to pursue the Snare project as a
means of
> > > > > > addressing this shortcoming and therefore boost Linux' appeal.
> > > > > >
> > > > > > While working on similar tools for other operating systems, such
as
> > > > > > Sun's Solaris and Microsoft's Windows NT--all of which contained
an
> > > > > > audit collection subsystem--the company realized the lack of
this
> > > > > > feature in Linux, and "thought something was missing," according
to
> > > > > > Purdie.
> > > > > >
> > > > > > What followed was eight months of effort and "not having a
life", said
> > > > > > George Cora, director and principal security consultant.
> > > > > >
> > > > > > While eight months seems minimal in software development terms,
Purdie
> > > > > > maintains that Snare is actually the culmination of ten year's
work
> > > > > > into the host-based intrusion detection system, added to a
combined
> > > > > > total of more than twenty year's experience in security for the
> > > > > > directors.
> > > > > >
> > > > > > The short time to market can also be attributed to three other
> > > > > > factors, according to Cora: "We have the programming skills, we
have a
> > > > > > small company that is not bureaucratic, and we put aside the
> > > > > > established OSes (operating systems) and started from scratch."
> > > > > >
> > > > > > He also maintains that the presence of the open-source community
> > > > > > allowed them a shorter development time.
> > > > > >
> > > > > > InterSect Alliance does not have the infrastructure in place to
> > > > > > distribute Snare commercially, but by using the open-source
community,
> > > > > > it was able to release the software quickly, to a widespread
audience.
> > > > > > Cora believes that releasing Snare as open source should also
lead to
> > > > > > a faster uptake of the product itself.
> > > > > >
> > > > > > "If we had tried to commercialize this [rather than releasing as
> > > > > > open-source software], people would be less eager to use it due
to the
> > > > > > cost of entry associated with it," Cora said.
> > > > > >
> > > > > > This lowered cost of entry is the ingredient that will ensure
much of
> > > > > > the product's success. Already InterSect Alliance has received
> > > > > > pre-release queries from local--and global--organizations.
> > > > > >
> > > > > >
> > > > > >
> > > > > > -
> > > > > > ISN is currently hosted by Attrition.org
> > > > > >
> > > > > > To unsubscribe email majordomo () attrition org with 'unsubscribe
isn' in
> > > > the BODY
> > > > > > of the mail.
> > > > >
> > > > >
> > > > > ejovi nuwere
> > > > > http://www.ejovi.net
> > >
> > >
> > > ejovi nuwere
> > > http://www.ejovi.net
> > --
> > Leigh Purdie, Director - InterSect Alliance Pty Ltd
> > http://www.intersectalliance.com/
>
>
> ejovi nuwere
> http://www.ejovi.net

----- End forwarded message -----


ejovi nuwere
http://www.ejovi.net

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.