[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1074350065.17470.94.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Re: January 15 is Personal Firewall Day,help
the cause
Hi Jan,
Let the ping-pong game begin ;-)
Am Sam, den 17.01.2004 schrieb jan.muenther@...ns.com um 04:21:
> at the risk of sounding like a Win32 advocate...
No, you don't. :-)
> > I agree. But Windows isn't delivered in such a minimum state by default.
> > Instead all doors are open. When MS ships Windows shouldn't it deliver
> > it with all doors closed instead of all doors open? I'd rather have an
> > "opt-in" for security risks than an "opt-out".
>
> I agree. MS are slowly grokking this. An example would be IIS6, which they
> got fully source code audited and which comes fairly reduced by default. I
> still don't agree to some design decisions (like running part of it in ring
> 0), but hey, it sure is a step forward. They've been lambasted badly and
> earned it, but they're making progress for sure.
Anything else would be pretty pathetic if you take into consideration
their financial potential that would enable them to throw in a hundred
full-time developers to audit ANYTHING they have ever written and sold
during the last two years.
The reason Microsoft is not auditing more software is that their
priority is still on profits and not on security. This is the difference
with projects like OpneBSD. They don't work to make profits. They work
to publish the most secure Unix system there is.
> > available tools at affordable prices. Maybe you can correct me here. I'd
> > love to see something as Claymore, Tripwire or AIDE freely available on
> > Windows.
>
> Hm, I doubt that it doesn't exist. As a dirty workaround, one could create
> md5 hashes oneself and store them in an offline database.
I guess with a little bit of work a devoted Perl junkie could modify
Claymore to work with Windows. Since claymore is just a Perl script
basically this shouldn't be too much of a hassle since ActivePerl isn't
too bad.
> > Again, this is not what I am criticising. I am criticising that Windows
> > ships with some sort of packet filtering (though I doubt it can compete
> > with iptables) but it is not enabled by default.
>
> Neither is it in a lot of Unixes.
That's usually "page 3" in Red Hat/Fedora, Mandrake or SuSE manuals ;-)
"Click Yast", choose "Security and users" and enable the SuSEfirewall2.
I can't remember ever heaving read something about a firewall built in
Windows when browsing the Windows manuals. It doesn't spring into your
face to say the least.
> And yeah, first of all it's crudely positioned (ipsec policies? c'mon...),
> and second it's a stateless packet filter which can be circumvented fairly
> trivially...
I agree. But quality isn't the point, yet. We're still speaking about a
quantity > 0 here ;-)
> Still, it's possible to take a simple workstation out of the line of fire
> pretty much. The "Internet Connection Firewall" that XP has is at least a
> lot better than having nothing, and it's trivial to enable even for Joe or
> Jane User.
Well, I simply don't understand why MS is shipping Windows with an AOL
link on the desktop instead of a "Enable Firewall" link.
Security doesn't seem to be a priority as long as MS products sell
without it.
> > ZoneAlarm and all these other products actually may have their positive
> > sides but you can't cure an unpatched Windows XP Home or older unpatched
> > Windows 98 boxes by just installing such a Personal Firewall.
>
> Dude... neither is a firewall a cure for an unpatched Unix box!
Of course. But the point I am aiming at here is the fact that VERY often
patches for well known security related bugs in MS software are not
available for weeks or even months.
I did it and I'll do it again: I'll remind you about
Thor Larholm
Senior Security Researcher
PivX Solutions
who used to offer a list about unpatched bugs in MS software on his
company's site. The list contained more than 30 unpatched bugs that
could be exploited at the time he took the list offline. He is doing
business now with Microsoft, so full disclosure isn't an option anymore,
I guess.
Comparing this to Linux and open sourced Unix systems you'll agree that
bugs are available VERY fast and critical bugs don't go without patches
or workarounds for weeks to come until they are revealed. THIS is why
I'm criticising the philosophy of promoting Personal Firewall Day for
Windows end users because it seems to release MS from their obligation
to fix flaws in end user software such as Outlook and Internet Explorer
and end users get the impression they are safe because they have this
perimeter defence.
> I see it so often that people rely on their perimeter defense. Once you're through that
> it's mayhem.
This is a platform independent problem. Unavailable patches is not a
platform independent problem, yet not to this extend.
I'd rather see a fully patched MS Windows than a thousand additional
virus scanners and firewall programs. I guess this day will never come.
> > new program is really annoying. If you think this can be avoided by
> > telling the end user not to use these programs then you are utterly
> > mistaken. End users are addicted to those ad driven trash like Kazaa,
> > various download managers and other stuff. They'd rather cut off their
> > left hand then not to use such programs.
>
> Do you think that would be any different if Linux replaced Windows as the
> most frequent end user platform? I strongly doubt it.
I very much think so. This is a difference in concept. Ad driven
programs are ad driven because they aim for profit. Their open source
competitors are not aiming for profits. They don't need to spy on
consumers and bug them with commercial messages on their screen.
Of course there will be ad driven Linux end user programs but those
would have to compete with a mighty host of free and high quality open
source programs that come without commercials and offer the same or
better usability. Guess what the consumer is going to chose.
> > The advantage in Open Source software is that it doesn't run ad driven
> > and doesn't spy on the end user while offering the same functionality
> > and most of the times even more.
>
> While I generally agree, the way most people handle OSS these days, it's
> trivial to sneak in spyware functionality as well. I can't remember what it
> was, but I've seen attempts to mail my /etc/passwd to some hushmail account
> from a Makefile (very sneaky, haha).
This is a problem when people don't use tools like apt or Portage, Ports
and such with official sources. When users chose to be their own
"packager" or "distributor" then they certainly have to live with the
risks. Windows users fail to do so in numbers of thousands every hour
when they open emails, visit websites, install software, do filesharing
and so on.
A Debian user, content with the supply available to him in apt, will
never be tempted to install anything from an unknown source.
Concerning your /etc/passwd file. It's shadowed, isn't it? So even if it
got sent to someone he'd have to crack it with john or something and
count on weak passwords. If you chose your passwords with more than 9 or
10 letters/signs randomly than he'd be busy 60.000 years for just one
password if he can do 10.000.000 operations in a second.
> > This is where I have to disagree with might. File permissions with user,
> > group and world levels, processes locked in chroot environments, the
> > possibility of starting single tasks with root access via sudo from
> > within a normal user session are all examples of things lacking in
> > Windows.
>
> Hm, no. NTFS actually supports ACLs straight out of the box.
Well, why can I browse the file tree and even change stuff on a default
Windows 2000 installation that doesn't belong to my user?
If there IS the possibility to use these restrictions why doesn't a
default installation use them to full extend?
> With runas, you can switch the security context of the current user to run a process with
> different credentials.
This is new to me. Is this a feature of Windows 2000 or has it been
introduced in Windows XP or 2003?
> As of chroot'ed environments, I can't think of
> anything practical at the moment, indeed.
That's really bad then, isn't it?
> > Every user logging in to Windows XP Home is working with full system
> > rights. This is the state the system is delivered by Microsoft. How
> > should a Windows XP end user know that this is dangerous and how should
> > he know to change this?!
>
> XP Home Ed. is a big scam - they basically deprived it of any useful
> functionality of their "professional" operating systems.
Well, this is no excuse. MS is selling this thing as a replacement for
Windows 98/ME and there are more Windows XP Home installations worldwide
than Windows XP Professional installations.
In the name of the Lord... how is it possible that someone is allowed to
ship an operating system that makes every user "root" by default?!
It's actually the same with LindowsOS. I seem to remember heaving read
an article which explained that LindowsOS makes every user root too so
that the "one-click" installation doesn't require the prompt for a root
password. This is insane. The people selling this should be punished by
cleaning every infected box themselves, worldwide and 24/7.
> > Rigid rights management in Windows is a modern myth. This simply can't
> > be compared to Unix/Linux.
> I really beg to differ. You *can* do a very fine grained rights management
> with NT+ systems, only very few people actually do. Ever read the NSA paper
> on NT hardening?
But what are the results? *can* is simply not good enough. "opt-in" into
security is utter BS. A solid system needs "opt-out" of security
patterns not "opt-in".
> > What user does the IIS webserver run as when you install the IIS the
> > default way? The same goes for other services on Windows servers.
>
> It actually runs as the IUSR_MACHINENAME anonymous account, not as Local
> Authority / SYSTEM - the IIS5, I mean, IIS4 did run as system. Then again,
> come on, a lot of Unix services run as root as well, at least on classical
> Unix systems.
I'm actually not aware of any daemon offering external services that
doesn't have its own user linked to it.
Most daemons come with a default configuration that even puts the daemon
in a chroot prison by default.
> > How to implement a chroot environment in Windows?
>
> I actually don't know off the top of my head, but I'm sure MS came up with
> something to match the DoD's compartmentalization requirements. And yes, I
> have my doubts too whether it's any good.
The only way to get Microsoft to improve security is to put pressure on
their profits. This is the only lever that actually can move anything
inside Microsoft. This is the difference to other software projects that
don't have this lever.
> > Does it safe user passwords one way encrypted like the shadow password
> > file in Linux? :-)
>
> Hm? Yes, sure it does. It's not even so easy to get to the hashes, you have
> to have LA/SYSTEM for it. Of course, one of Wintendo's biggest flaws is the
> fall-back to LanMan, so the LM hashes stored in the SAM are a problem.
> However, you can switch that off if you know how.
Again: "opt-in". I don't want to "opt-in" into security. I want it
secured by default requiring action on my behalf to make it less secure.
If Microsoft doesn't know how to offer the features without opting out
of security then they should strip that feature. It's as simple as that.
> > In Linux passwords get encrypted and sent to the shadow password file
> > like that. When a user logs in his input gets encrypted again and the
> > encrypted input is compared against the encrypted password.
>
> actually, in Windows it's not even as trivial as that. That's taking a bit
> too far, if you're interested, we can discuss in private.
I'd love to know more about that. I thought that since Linux itself
doesn't come with a way to decrypt the password file other than using
brute force (with john or something) this is as "safe" as it can get.
> > We agree. Maybe "missing" was not the right way to describe it. "Missing
> > by default" or "available but not enabled by default" would have been
> > better. The result though is the same.
>
> Uh huh. The problem in my opinion is two-fold: Windows users (and/or
> administrators, mind you) know far too little about the system, if they did,
> they'd be able to make it fairly secure, which it isn't by default.
There is a lot of truth here. How can administrators know enough about
their Windows system and its software when it's very hard to obtain
"full disclosure" information on closed, propriety software which is
very often poorly documented?
> Linux/Unix users however often make the mistake of assuming safety simply
> due to the fact they're running something else than Windows.
Those are the "I did switch recently and I feel SO safe now" users. As
soon as they use Linux for a certain time then they get to know that
there's more to security then the right software.
> And that is as a matter of fact a *very* false sense of security.
That's true. I just want to remember about the guy with the rootkit
which I asked about. Running SuSE Linux, patching regularly and thought
he was safe while running an unpatched PHPNuke installation. Ouch. :-)
> There's no reason to be smug just because you're running Debian, OpenBSD or
> whatever. You still need to keep up to date and educate yourself.
OpenBSD does offer a very high level of security "out of the box" even
if not updated for a while. They had about a handful of remote exploits
on a default installation in about 7 years. This same amount of remote
exploits did occur within just two months in some Windows system.
> And again, I'd argue that neither Unix nor Windows were designed to be
> secure operating systems. Plan 9 e.g. is.
That might be true ;-)
cheers,
Tobias W.
Powered by blists - more mailing lists