Stanford University Unix servers hacked...

ColmOT [MSFT]

http://securecomputing.stanford.edu/alerts/multiple-unix-6apr2004.html


"The perpetrators regularly gain access to an unprivileged local user account"

maxheadroom

So basically, in a situation where an admin hasn't applied relevant security patches for well-known vulnerability, systems were compromised? A) how is this newsworthy?, and would they have been better off with an unpatched version of windows?

ColmOT [MSFT]

It's newsworthy because it's about Unix, and this is a Unix forum!

Thank you, maxheadroom, for making those points.
This is exactly the same situation in Windows, and people scream and shout about how "insecure" the OS is. It's actually the administrators who are insecure, not the OS.

Windows & Unix/Linux are both insecure when not patched and managed correctly.

Ultimately, if a Windows system is patched correctly and managed correctly it's security is on par with Unix.

quozl

i'd imagine that'd be true. It's a pity microsoft don't release patches in a timely manner. Or sometimes ever.
And that their patches all too often affect the security and stability of the machine itself.

Things would be a lot better in the world of windows if the OS could be patched correctly, I couldn't agree more with you Colm.

Greg[ROFL]

Typedef

Originally posted by ColmOT [MSFT]
Ultimately, if a Windows system is patched correctly and managed correctly it's security is on par with Unix.

I'm sorry, please refrain from smoking crack before posting.

Windows boxes, have an 'order of magnitude', more vulnerabilities then most Linux boxes.

In the main Windows boxes vulnerabilites provide admin access on that box too, since, the abstraction of user levels on a Windows box, frequently leaves the system in a state where joe soap user can delete files critical to the Operating System's proper running.

Having worked on a production Website and having deployed Unix servers to maintain it, I would be of the opinion that Windows boxes in a Server envrionment are a complete joke. Certainly, the System Administrators I would talk to 'make jokes' about how insecure and unreliable a Windows box is.

Moreover, when a vulnerability is found, as a System administrator, you are totally at the mercy of the M$ patching process to get it fixed. There is no chance for you to quickley recompile your Server app from source, with a quick bug fix. None. Windows is closed source and thus, from the standpoint of academic peer review, Windows is a black box, with padlock, something that completely goes against verifiable peer review.

That's how the RPC bug, from Windows 95 to XP sp1 managed to go unnoticed and how the vulnerability was so proliferic. A bug, that had existed in the Windows Core OS, for about 8 years was finally exploited and Millions, probably hundreds of Millions of machines ended up compromised.

If however M$ provided access to the source code of the software it *forces* on people, that particular vulnerability would have been caught years ago, by the regular review processes that are performed by peers on Open Source Code.

Now talk to me about patching, vulnerabilities and crying over spilled milk.

ColmOT [MSFT]

Moreover, when a vulnerability is found, as a System administrator, you are totally at the mercy of the M$ patching process to get it fixed. There is no chance for you to quickley recompile your Server app from source, with a quick bug fix. None.

Your point about an administrator being able to go in and fix the bug, then recompile the app for the fix immediatly is bull****.
The vast majority of system administrators cannot code or understand C code. Expecting them to be able to fix a bug is useless. SO you are still at the mercy of the vendor of your flavour of Unix.

Why would someone proficient enough in C to be able to detect, fix, recompile & test a core flaw be in a sys admin role? They'd get much better money in a dev job if that was the case.

frequently leaves the system in a state where joe soap user can delete files critical to the Operating System's proper running.

Why is a user logging into a server!? Perhaps your user policy should be reviewed to give the user a workstation rather than a mission ciritical server. Windows XP & Server 2003 take care of this issue for workstations. By default, users have never been able to log into DCs or any locked down application server.

dahamsta

I'd imagine there's a hell of a lot more *nix sysops that can use patch, configure and make than there are Windows sysops that'll do the same (even with a GUI) on Windows. And of course most Windows sysops don't have that option even if they wanted to...

adam

Typedef

Originally posted by ColmOT [MSFT]
Your point about an administrator being able to go in and fix the bug, then recompile the app for the fix immediatly is bull****.
The vast majority of system administrators cannot code or understand C code. Expecting them to be able to fix a bug is useless. SO you are still at the mercy of the vendor of your flavour of Unix.

I think you will find, you are totally misinformed.

Have you actually looked at the required skill set for most Unix system administrators? Being able to do things like recompile the Kernel is expected, no? Thought not.

Kudos for the argument though : Run Windows, you can pay a trained monkey peanuts to do it.

Sorry, I'd rather have 'real' IT people run 'real' production servers. Lets leave the fisher price toys to the kids.

Moreover, since the peer review process I mentioned earlier takes place on an ongoing basis, with thousands of developers reviewing the code, any Vulnerabilites found in say, ssh or Apache, are quickley fixed, unlike IIS.

Why would someone proficient enough in C to be able to detect, fix, recompile & test a core flaw be in a sys admin role? They'd get much better money in a dev job if that was the case.

Yeah I have one thanks, please see my earlier reply, about the thousands of developers across the globe, who perform regular code reviews and code walks of Open source code, specifically to find vulnerabilites *before* some nasty virus like Nimda, Code Red and friends can hammer the Unix boxes.

If what you say about Unix being *just as vulerable* as Windows is ture, then how come there aren't virii sweeping the near 60% penetration of Apache/Unix webserver that the internet is run off?

Don't know huh?

Shall I tell you?

It's because Windows is a joke, in terms of security and by and large Unices are the complete antithesis in terms of security.

Why is a user logging into a server!? Perhaps your user policy should be reviewed to give the user a workstation rather than a mission ciritical server.

I'm not communicating myself here am I?

A user level account can delete critical files on Windows boxes.
A user level account can only delete it's own files (normally not critical) on a Unix box

Indeed your response about user accounts shows a lack of understanding here.

It's a *bad* idea to run your server processes as root/administrator, since if that service gets compromised, you could have a situation where a remote attacker could run code on the target machine, with admin access.

That's bad.

That's why in Unix, we run processes in chroot jails and as low lever user access accounts, because it reduces our expose.

Unlike Windows, which runs moronic services wide open, for inscrutable reasons, only configurable by gui, blah, blah, the list of reasons behind why Windows boxes are crap goes on.

Windows XP & Server 2003 take care of this issue for workstations. By default, users have never been able to log into DCs or any locked down application server.

I'm sorry, you'll have to translate that out of whatever M$ marketing dictionary it was copy and pasted from, into a language that can be understood.

Again your missing the point about user's logging in (v) USER LEVEL ACCOUNTS.

Not the same thing.

So your point is totally invalid, not to mention misinformed.

No offence.

I've administered Windows and Unix boxes in my time, indeed when I was new to the industry and hadn't a clue, I thought that all those Unix guys were up their own arses and just liked to feel elite.

Not true, eventually I became one of those guys, because, what they were saying about stability, security my freedom to use my system, scability, innovation all being better and more transparent on Open Source systems was utterly true.

Windows exists not on it's merits as an OS, but, on Microsoft's ability to use it's monopoly to shoe horn, it's software force-feed style, down the throats of anybody who uses personal computers.

Fear not, many governments and organisations are catching on to the huge benefits that come with Open Source.

Eventually, this will even trickle down to the end user and when Microsoft starts to face, real and mouting competition in it's core markets and probably ever increasing numbers of countries, organisations and people will jettison Microsoft products in favour of it's superiour Open Source counterparts.

leeroybrown

The vast majority of system administrators cannot code or understand C code. Expecting them to be able to fix a bug is useless. SO you are still at the mercy of the vendor of your flavour of Unix.

A sizable percentage of the time, temporary security fixes designed by people/companies who are respected in the Unix security community are posted to security mailing lists both affiliated and unaffiliated to the distribution maintainers. Only minor confidence in making small syntactical changes is needed once you have trusted sources.

This allows administrators of production servers to quickly cover the security issue until the official bugfix has been fully tested, packaged and released.

electrofelix

Originally posted by ColmOT [MSFT]
The vast majority of system administrators cannot code or understand C code. Expecting them to be able to fix a bug is useless. SO you are still at the mercy of the vendor of your flavour of Unix.

I think you'll find this comment is true only when you assume that the system administrators are all windows only administrators.

It just so happens that the majority of system administrators for Linux have good C code understanding + perl and shell scripting understanding. Probably because they can and do use them regularly with Linux.


Windows Administrators generally don't for the simple reason that invariably they don't have access to systems that provide these C tools by default and additionally they can't look at the source, so they never do and as a result don't get the opertunately to improve their understanding of Windows system code.

Emboss

Colm

I'm still trying work out if you're one of the most retarded people to ever post in this forum, or you're a troll, and it's not easy....

Lets take a UNIX "like" OS OpenBSD

1 remote hole in the default install in over 7 years...

how many ? ONE!

how many versions of windows can say that?

Your point about an administrator being able to go in and fix the bug, then recompile the app for the fix immediatly is bull****.

I'm not sure how to reply to this, to be honest i feel like crying......
What do you think a UNIX admin does? spin a windows XP cd on his finger all day?

As typedef has mentioned all ready, to be a UNIX admin you need to be able to do a bit more than double click. Most UNIX admin would have a good grasp of numerous languages and actually UNDERSTAND what his systems are doing, unlike a WINDOWS admin.

Do some research, take a look at some of the holes that have been found recently.

A huge majority of the fixes have been released within hours of them being found.
How long does it take MS to release patches? weeks,months and in some cases YEARS.

It's time to take your head out of your ass, stop posting on this forum OR get a clue.

Capt'n Midnight

Please correct me if I am wrong, but my unstanding was that in Unix programs and services only ran if you set them up to run. Also that if an exploit was described then many Admins would be able to change rules in firewalls or change program config files (text based) or further restrict access by the program and be easily be able to check it's dependencies.

So if an exploit was documented then admins could probably hack together a work around on IRC or forum fairly quickly


By contrast in the windows world, local firewallls are still pretty much all or nothing when it comes to allowing traffic on a particular port. IIS - used to be that you disabled it and other installs would reenable it on the sly and SO many things are dependent on it..

Most of the holes in windows seem to be in things like IE and media player and other non-essential crap that has been so locked into the OS and has so many third party apps depending on it that it is now impossible to get away from. (eg: Having to stick IE6 on a NT server so the Msblaster patch would install just means the server reboots a lot more often cos now I've to patch IE as well )

There is a lot of discussion about how Microsoft release patches sooner but that people don't deploy them, - there is a simple reason , many previous patches have caused major problems eg: the exchange 2000 one that they got right on the third attempt , have a look at the update site - always seems to be at least one patch to fix a previous one..

Yes a properly hardened and patched windows server can be as secure as a Unix box, until the day someone finds a hole that has been undetected for eight years (hopefully the recompilling of existing code with newer compliers will remove many of the buffer overruns - there is a tiny chance of replacing old bugs with new ones if there is a complier flaw though)

And as for User security levels in Windows - most versions require very high levels of access for things like Autocad and PDA's to work - and I'm still upset that printer & video drivers run in Ring 0. Then there is our old friend AUTORUN. And service pack 4 added in Wireless service - for windows 2000 server (oh yeah - that's secure - anyone got a USB Key WiFi ?)

flamegrill

Originally posted by ColmOT [MSFT]
Your point about an administrator being able to go in and fix the bug, then recompile the app for the fix immediatly is bull****.
The vast majority of system administrators cannot code or understand C code. Expecting them to be able to fix a bug is useless. SO you are still at the mercy of the vendor of your flavour of Unix.

As all of the above have said, it is a _requirement_ of a unix systems administrator to be proficient in shell scripting, and generally have a C/C++ back ground or least be able to understand the basics. At no point is any systems administrator (unix) at the mercy of the vendor, this is simply untrue, unfounded, arse.

I for one am the technical director for a hosting company here in Ireland, we use a mixture of windows and unix servers. All my unix servers, be them linux/bsd etc are all admined by me. When an exploit is released for something typically the guy who releases it gives a fix, this is generally easy enough to test and deploy it. We have approx 30 unix boxes, and 2 windows machines, I can tell you now the time spent on them windows boxes is very close to that of the unix machines, deploying security patches, keeping an aye on IIS and other services to make sure they are working and are secure.

Why would someone proficient enough in C to be able to detect, fix, recompile & test a core flaw be in a sys admin role? They'd get much better money in a dev job if that was the case.

It's simply how us unix admins work, as Typedef said, it looks to be a very elitest lot, but generally were not, we just know what we are doing because of experience. Just setting up a unix machine to provide web/mail/database services can be a mixture of compiling/bugfixing. I pre build rpm's for our web servers and roll out where nessesary.

Why is a user logging into a server!? Perhaps your user policy should be reviewed to give the user a workstation rather than a mission ciritical server. Windows XP & Server 2003 take care of this issue for workstations. By default, users have never been able to log into DCs or any locked down application server.

Locked down being the key word. I can tell you now that a properly installed unix machine, isn't vulnerable from the moment its installed. Unless its a terribly old distro or a version of one. _Any_ windows machine installed and put on the internet will be exploited within 30 seconds. For example, customer puts mssql server onto corperate network with an internet facing IP, 30 minutes later the network upstream bandwidth is maxed out and causing denial of services. The same simply can't be said about unix machines. There are more examples, but there off topic.

Please try not to drag threads off topic.

Typedef

Oh look ==> http://slashdot.org/articles/04/04/09/0546203.shtml?tid=113&tid=126&tid=128&tid=172&tid=95 another Windows vulerability.

I wonder, how long it will take for a virus to pop up for this one and hammer another Nuclear Power plant al la Slammer.

http://www.securityfocus.com/news/6767

redhat_newbie

Can anyone of you lads tell me

1) Who spends most on security aspect (research or anything) Windows or Linux ?

2) Idea of GUI interface started from Linux or Windows ?

3) If windows OS is made open source will this annoyance towards microsoft will stop ? Windows is vulnerable becoz its not open source !

4) Why did Scott and Steve accepted a joint venture for the next 10 years ?


cheers lads,
RHN

dahamsta

Originally posted by redhat_newbie
1) Who spends most on security aspect (research or anything) Windows or Linux ?

Windows is an operating system, Linux is a kernel, neither can "spend" as far as I'm aware. You'd probably find a figure for Microsoft investment in security on their website, but to estimate the spend on Linux you'd have to total investment from all the main distros, plus you'd have to put a value on the time and energy people put into it for free. The latter would probably far outweigh the former.

2) Idea of GUI interface started from Linux or Windows ?

That's a flame war waiting to happen. As far as I can remember the first GUI was developed in PARC by Xerox, but it wasn't leveraged very well and was considered a failure. People say that Apple "stole" the idea, and Microsoft "stole" it off them; so the idea came from neither, however Microsoft was probably first to roll it out to end users on a (really) large scale. Unices have traditionally been managed from the command line so GUI's are relatively new to them.

3) If windows OS is made open source will this annoyance towards microsoft will stop ? Windows is vulnerable becoz its not open source !

The "annoyance" is imagined for the most part in my view. Yes, people scrap a lot about them, but most people I know tend to take it all in good humour. Windows won't be open sourced in the near future anyway, so there's really not much point speculating about it.

4) Why did Scott and Steve accepted a joint venture for the next 10 years ?

Scott McNealey and Steve Ballmer? Money. Sun needed the money.

adam

NinjaBart

Originally posted by ColmOT [MSFT]
Why would someone proficient enough in C to be able to detect, fix, recompile & test a core flaw be in a sys admin role? They'd get much better money in a dev job if that was the case.

maybe or maybe not. your assuming that just because someone can program that they want to work as a programmer. many don't. also it isn't unheard of (unusual maybe but I dont know) to have an internal build of a system for which internal security and development people will provide a patch if necessary for a unix system. i was a junior developer in just such an environment a couple of years ago and that flexibility was seen as a definite plus in favor of having source. i can assure that the systems people in that position were not stuck for cash wishing they had developer money i was wishing i was making the money they do (hence moving into my current admin job )

i'm sitting on the fence on this one but as much as the pro open source folks often seem to have a very blnkered view of where systems are deployed I fnid the same is true of the windows advocates. my current job is almost all windows btw.

redhat_newbie

dahamsta , Thanks a million for the information and answers.

BenH

Originally posted by redhat_newbie
Can anyone of you lads tell me

1) Who spends most on security aspect (research or anything) Windows or Linux ?


The amount of money spent on security is a bit of a red herring, you could (and MS probably does) spend hundreds of millions on security, but if the foundation of the operating system arnt geared towards it, or worse compromised for monitoring purposes, then that money is being wasted.

Windows has poor security for a whole host of reasons - its designed for standalone machines, networking was sewn on later, various other MS programs intergrate far too closely with the OS, such as IE and Outlook, as a result a minor problem with them becomes a major problem as a result. And so on.

Linux had networking designed into it at a very early stage, and IIRC took Linus close to 18 months to get it done right, and as the linux community is full of raging egomaniacs all trying to outdo one another security has gotten very good, especially when the NSA decided to play and outdid everyone with the SE patches which are now part of the 2.6 series of kernels. The BSD's and especially OpenBSD were essentially born with networking and as a result have phenominally good security.

Of course the commercial unices have an even better record, probably due to them only running on proprietary hardware which makes it rather hard for J. Random Cracker to learn.


2) Idea of GUI interface started from Linux or Windows ?


Neither PARC/Xerox, the idea which Steve Jobs promptly nicked/was inspired by for the Apple OS, which in turn Bill combined with CP/M to create windows.


3) If windows OS is made open source will this annoyance towards microsoft will stop ? Windows is vulnerable becoz its not open source !


It has nothing to do with windows being open source or not, its to do with windows not being a very good operating system with a pretty and consistent GUI hiding everything its doing backed up by a convicted monopoly shoving 3/4 of a billion in advertising down the publics necks.

I dont think anyone here would care what operating system you use, be it OSX/BSD/Linux or Windows, just so long as your aware of its benefits and limits and dont try and shove your choice down anyone elses throats.


4) Why did Scott and Steve accepted a joint venture for the next 10 years ?


As dahamsta said, money. Sun's stock are only a couple of points above the junk level.

redhat_newbie

Cheers lads
Cheers dahamsta and BenH

damnyanks

Wasn't Windows 3.1 just something put on top of DOS ? Then in Windows 95 it was made into its own actual OS. Sorry I'm not explainng properly, mainly cause I'm not too sure by what they meant

It was on some show ages ago. Apple had a GUI OS out for a good while. Microsoft needed to compete quickly and get into the market so they just threw something together (Or bought I forget :S). So it was still DOS just with a GUI, anything you did in 3.1 just went through to DOS to do whatever.

Then Windows 95 they changed that and gave it the needed requirments to do things itself.

Anyways... if youa re still with me (Sorry was a long time ago!) they rushed a product out for 3.1, fixed it in Win95.

The

Windows has poor security for a whole host of reasons - its designed for standalone machines, networking was sewn on later

Comment seems true, in which case they may do the same (Eventually) with Windows rewriting it to work better as a network machine. They are in business after all. They have a strong position in there market (And abuse it) but once they begin to loose there footing they will have to take notice, after all they may be butt pricks but still have somewhat decent (Not ethicaly) business concepts.

dahamsta

"Windows 95: 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company that can't stand 1 bit of competition."

I'll have me moderatorship privileges removed if I'm not careful. Perhaps Colm should be in charge.

nadir

Is it just me of is there alot to learn about windows admining? Ive seen big books on it, but for me without ever reading any documentation, I think I can admin a windows machine fairly well, I had a copy of win 2k server before, on the other hand Id say I read for at least 2 hours every day about linux stuff, it appears that it requires a massively bigger knowledebase to admin a linux system properly. Does this mean that linux admins, by virture of having to know alot more about their operating system can simply do a better job. As Colm *cough TROLL *Cough was pointing out earlier, that admins dont know c, I mean im just a home linux user, no professional experience, and I have a fairly good knowlege of perl c, c++, bash, and a whole load of linux trivia, I guess when I do start working with linux Ill know quite a bit. Is this also true of windows admins???

Emboss

I'm sure windows admins could spend a few hours a day reading but...

how many ways is there to say "Click next"

oscarBravo

Originally posted by damnyanks
Wasn't Windows 3.1 just something put on top of DOS ? Then in Windows 95 it was made into its own actual OS. Sorry I'm not explainng properly, mainly cause I'm not too sure by what they meant

Windows 1.x, 2.x (my first experience with Windows), 3.x, 9x and ME are all graphical shells on top of DOS. The later versions began more and more to unload the 16-bit DOS stuff and talk directly to the hardware using 32-bit drivers.

Windows NT, 2k and XP are somewhat different, in that they were designed around a purpose-built kernel. That said, much of the "user" and "gdi" APIs were common from day 1.

Cake Fiend

I stumbled across this photo of Colm in work:

Emboss

Originally posted by Sico
I stumbled across this photo of Colm in work:

Legend.

albertw

Originally posted by redhat_newbie

4) Why did Scott and Steve accepted a joint venture for the next 10 years ?

Money as others have said has a lot to do with it. Better a settlement now, than to have the lawers take all the money for the next few years right?

Also as Scott pointed out, customers had a lot to do with it. Spearheadding the crusade against M$ was fun but customers want the big sun servers to talk properly with the little windows boxes on peoples desks, cooperating on interoperability makes sence.

Cheers,
~Al
--
My thoughts not my employers :-)

Capt'n Midnight

Originally posted by Emboss
I'm sure windows admins could spend a few hours a day reading but...

how many ways is there to say "Click next"

RANT
I lost count a long time ago of the synomyms for "Click on the highlighted button to progress further"

The most interesting one is of course "Finish" as this now seems to occur in the first half of an install as well.
Microsoft English - has subtle differences to the dialect we use - even for what one would assume to be unambigious phrases like "Remove All"

/RANT

One thing I hate about windows - they keep moving and renaming stuff - and it looks like they won't have the full SQL dB for Active Directory stuff in Longhorn - so there are two more big changes on the road map.

Also - has anyone any research on the reveues for each of the various flavours of windows - you have home / pro / server / enterprise and CAL's.
Since most of cost of enterprise will be in the associated CAL's and since home is so less secure - it would be nice to see m$ to change it's marketing strategy so that there was ONE version of windows - you simply choose the mode it will use and simply increase the price of CAL's to maintain the revenue stream.
This would have the advantage in giving better security to Home users who are propably subsidising the development of 95% of the Enterprise server components.

SouperComputer

2) Idea of GUI interface started from Linux or Windows ?

FFS! I can remember the Atari ST (1985) and Commodore Amiga having a much better GUI than windows running on half or even quarter the spec that was required! They didn't half shift a few units between them either!

i feel sorry for colm though, he really dropped himself in it!

Capt'n Midnight

IIRC the GEM - GUI was around before Windows on PC's

Must find the link on BBC site where in M$ admitted there was no security in win95 - 10 years after the first beta went on release (The comment was - what will they be telling us in 10 years time about thier bloat ware)

Win95 is interesting - win 3.1 can be excused for security to a certain extent since newtorking was integrated in 3.11 - win 95 came out (with built in networking) in an era when McAfee ./ Dr Solomons were selling well and AFTER M$ had pulled out of the AV market because there were so many viruses targeted against their product. (ie. can't say they did not realise security was an issue)

SouperComputer

yea, it used GEM alright, by Digital Research, the same company that brought us CP/M (I think) There are a couple of PC ports of GEM about AFAIK, must try one out to see what its like.