| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Re: January 15 is Personal Firewall Day,help the cause Hi Jan, Let the ping-pong game begin ;-) Am Sam, den 17.01.2004 schrieb jan.muenther@...ns.com um 04:21: > at the risk of sounding like a Win32 advocate... No, you don't. :-) > > I agree. But Windows isn't delivered in such a minimum state by default. > > Instead all doors are open. When MS ships Windows shouldn't it deliver > > it with all doors closed instead of all doors open? I'd rather have an > > "opt-in" for security risks than an "opt-out". > > I agree. MS are slowly grokking this. An example would be IIS6, which they > got fully source code audited and which comes fairly reduced by default. I > still don't agree to some design decisions (like running part of it in ring > 0), but hey, it sure is a step forward. They've been lambasted badly and > earned it, but they're making progress for sure. Anything else would be pretty pathetic if you take into consideration their financial potential that would enable them to throw in a hundred full-time developers to audit ANYTHING they have ever written and sold during the last two years. The reason Microsoft is not auditing more software is that their priority is still on profits and not on security. This is the difference with projects like OpneBSD. They don't work to make profits. They work to publish the most secure Unix system there is. > > available tools at affordable prices. Maybe you can correct me here. I'd > > love to see something as Claymore, Tripwire or AIDE freely available on > > Windows. > > Hm, I doubt that it doesn't exist. As a dirty workaround, one could create > md5 hashes oneself and store them in an offline database. I guess with a little bit of work a devoted Perl junkie could modify Claymore to work with Windows. Since claymore is just a Perl script basically this shouldn't be too much of a hassle since ActivePerl isn't too bad. > > Again, this is not what I am criticising. I am criticising that Windows > > ships with some sort of packet filtering (though I doubt it can compete > > with iptables) but it is not enabled by default. > > Neither is it in a lot of Unixes. That's usually "page 3" in Red Hat/Fedora, Mandrake or SuSE manuals ;-) "Click Yast", choose "Security and users" and enable the SuSEfirewall2. I can't remember ever heaving read something about a firewall built in Windows when browsing the Windows manuals. It doesn't spring into your face to say the least. > And yeah, first of all it's crudely positioned (ipsec policies? c'mon...), > and second it's a stateless packet filter which can be circumvented fairly > trivially... I agree. But quality isn't the point, yet. We're still speaking about a quantity > 0 here ;-) > Still, it's possible to take a simple workstation out of the line of fire > pretty much. The "Internet Connection Firewall" that XP has is at least a > lot better than having nothing, and it's trivial to enable even for Joe or > Jane User. Well, I simply don't understand why MS is shipping Windows with an AOL link on the desktop instead of a "Enable Firewall" link. Security doesn't seem to be a priority as long as MS products sell without it. > > ZoneAlarm and all these other products actually may have their positive > > sides but you can't cure an unpatched Windows XP Home or older unpatched > > Windows 98 boxes by just installing such a Personal Firewall. > > Dude... neither is a firewall a cure for an unpatched Unix box! Of course. But the point I am aiming at here is the fact that VERY often patches for well known security related bugs in MS software are not available for weeks or even months. I did it and I'll do it again: I'll remind you about Thor Larholm Senior Security Researcher PivX Solutions who used to offer a list about unpatched bugs in MS software on his company's site. The list contained more than 30 unpatched bugs that could be exploited at the time he took the list offline. He is doing business now with Microsoft, so full disclosure isn't an option anymore, I guess. Comparing this to Linux and open sourced Unix systems you'll agree that bugs are available VERY fast and critical bugs don't go without patches or workarounds for weeks to come until they are revealed. THIS is why I'm criticising the philosophy of promoting Personal Firewall Day for Windows end users because it seems to release MS from their obligation to fix flaws in end user software such as Outlook and Internet Explorer and end users get the impression they are safe because they have this perimeter defence. > I see it so often that people rely on their perimeter defense. Once you're through that > it's mayhem. This is a platform independent problem. Unavailable patches is not a platform independent problem, yet not to this extend. I'd rather see a fully patched MS Windows than a thousand additional virus scanners and firewall programs. I guess this day will never come. > > new program is really annoying. If you think this can be avoided by > > telling the end user not to use these programs then you are utterly > > mistaken. End users are addicted to those ad driven trash like Kazaa, > > various download managers and other stuff. They'd rather cut off their > > left hand then not to use such programs. > > Do you think that would be any different if Linux replaced Windows as the > most frequent end user platform? I strongly doubt it. I very much think so. This is a difference in concept. Ad driven programs are ad driven because they aim for profit. Their open source competitors are not aiming for profits. They don't need to spy on consumers and bug them with commercial messages on their screen. Of course there will be ad driven Linux end user programs but those would have to compete with a mighty host of free and high quality open source programs that come without commercials and offer the same or better usability. Guess what the consumer is going to chose. > > The advantage in Open Source software is that it doesn't run ad driven > > and doesn't spy on the end user while offering the same functionality > > and most of the times even more. > > While I generally agree, the way most people handle OSS these days, it's > trivial to sneak in spyware functionality as well. I can't remember what it > was, but I've seen attempts to mail my /etc/passwd to some hushmail account > from a Makefile (very sneaky, haha). This is a problem when people don't use tools like apt or Portage, Ports and such with official sources. When users chose to be their own "packager" or "distributor" then they certainly have to live with the risks. Windows users fail to do so in numbers of thousands every hour when they open emails, visit websites, install software, do filesharing and so on. A Debian user, content with the supply available to him in apt, will never be tempted to install anything from an unknown source. Concerning your /etc/passwd file. It's shadowed, isn't it? So even if it got sent to someone he'd have to crack it with john or something and count on weak passwords. If you chose your passwords with more than 9 or 10 letters/signs randomly than he'd be busy 60.000 years for just one password if he can do 10.000.000 operations in a second. > > This is where I have to disagree with might. File permissions with user, > > group and world levels, processes locked in chroot environments, the > > possibility of starting single tasks with root access via sudo from > > within a normal user session are all examples of things lacking in > > Windows. > > Hm, no. NTFS actually supports ACLs straight out of the box. Well, why can I browse the file tree and even change stuff on a default Windows 2000 installation that doesn't belong to my user? If there IS the possibility to use these restrictions why doesn't a default installation use them to full extend? > With runas, you can switch the security context of the current user to run a process with > different credentials. This is new to me. Is this a feature of Windows 2000 or has it been introduced in Windows XP or 2003? > As of chroot'ed environments, I can't think of > anything practical at the moment, indeed. That's really bad then, isn't it? > > Every user logging in to Windows XP Home is working with full system > > rights. This is the state the system is delivered by Microsoft. How > > should a Windows XP end user know that this is dangerous and how should > > he know to change this?! > > XP Home Ed. is a big scam - they basically deprived it of any useful > functionality of their "professional" operating systems. Well, this is no excuse. MS is selling this thing as a replacement for Windows 98/ME and there are more Windows XP Home installations worldwide than Windows XP Professional installations. In the name of the Lord... how is it possible that someone is allowed to ship an operating system that makes every user "root" by default?! It's actually the same with LindowsOS. I seem to remember heaving read an article which explained that LindowsOS makes every user root too so that the "one-click" installation doesn't require the prompt for a root password. This is insane. The people selling this should be punished by cleaning every infected box themselves, worldwide and 24/7. > > Rigid rights management in Windows is a modern myth. This simply can't > > be compared to Unix/Linux. > I really beg to differ. You *can* do a very fine grained rights management > with NT+ systems, only very few people actually do. Ever read the NSA paper > on NT hardening? But what are the results? *can* is simply not good enough. "opt-in" into security is utter BS. A solid system needs "opt-out" of security patterns not "opt-in". > > What user does the IIS webserver run as when you install the IIS the > > default way? The same goes for other services on Windows servers. > > It actually runs as the IUSR_MACHINENAME anonymous account, not as Local > Authority / SYSTEM - the IIS5, I mean, IIS4 did run as system. Then again, > come on, a lot of Unix services run as root as well, at least on classical > Unix systems. I'm actually not aware of any daemon offering external services that doesn't have its own user linked to it. Most daemons come with a default configuration that even puts the daemon in a chroot prison by default. > > How to implement a chroot environment in Windows? > > I actually don't know off the top of my head, but I'm sure MS came up with > something to match the DoD's compartmentalization requirements. And yes, I > have my doubts too whether it's any good. The only way to get Microsoft to improve security is to put pressure on their profits. This is the only lever that actually can move anything inside Microsoft. This is the difference to other software projects that don't have this lever. > > Does it safe user passwords one way encrypted like the shadow password > > file in Linux? :-) > > Hm? Yes, sure it does. It's not even so easy to get to the hashes, you have > to have LA/SYSTEM for it. Of course, one of Wintendo's biggest flaws is the > fall-back to LanMan, so the LM hashes stored in the SAM are a problem. > However, you can switch that off if you know how. Again: "opt-in". I don't want to "opt-in" into security. I want it secured by default requiring action on my behalf to make it less secure. If Microsoft doesn't know how to offer the features without opting out of security then they should strip that feature. It's as simple as that. > > In Linux passwords get encrypted and sent to the shadow password file > > like that. When a user logs in his input gets encrypted again and the > > encrypted input is compared against the encrypted password. > > actually, in Windows it's not even as trivial as that. That's taking a bit > too far, if you're interested, we can discuss in private. I'd love to know more about that. I thought that since Linux itself doesn't come with a way to decrypt the password file other than using brute force (with john or something) this is as "safe" as it can get. > > We agree. Maybe "missing" was not the right way to describe it. "Missing > > by default" or "available but not enabled by default" would have been > > better. The result though is the same. > > Uh huh. The problem in my opinion is two-fold: Windows users (and/or > administrators, mind you) know far too little about the system, if they did, > they'd be able to make it fairly secure, which it isn't by default. There is a lot of truth here. How can administrators know enough about their Windows system and its software when it's very hard to obtain "full disclosure" information on closed, propriety software which is very often poorly documented? > Linux/Unix users however often make the mistake of assuming safety simply > due to the fact they're running something else than Windows. Those are the "I did switch recently and I feel SO safe now" users. As soon as they use Linux for a certain time then they get to know that there's more to security then the right software. > And that is as a matter of fact a *very* false sense of security. That's true. I just want to remember about the guy with the rootkit which I asked about. Running SuSE Linux, patching regularly and thought he was safe while running an unpatched PHPNuke installation. Ouch. :-) > There's no reason to be smug just because you're running Debian, OpenBSD or > whatever. You still need to keep up to date and educate yourself. OpenBSD does offer a very high level of security "out of the box" even if not updated for a while. They had about a handful of remote exploits on a default installation in about 7 years. This same amount of remote exploits did occur within just two months in some Windows system. > And again, I'd argue that neither Unix nor Windows were designed to be > secure operating systems. Plan 9 e.g. is. That might be true ;-) cheers, Tobias W.
Powered by blists - more mailing lists