lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040510150647.GB3873@symantec.bugtraq.org>
From: thief at bugtraq.org (Richard Johnson)
Subject: iDEFENSE: Security Whitepaper on Trusted Computing Platforms

no.

On Mon, May 10, 2004 at 09:53:53AM -0400, Brian Toovey wrote:
> is this not the same person who misrepresented an openssh vuln last week?
> 
> On May 10, 2004 09:42 AM, Richard Johnson <thief@...traq.org> wrote:
> 
> > 
> > iDEFENSE: The Power of Intelligence : Current Intelligence Report
> > iSecurity Brief 05.10.04: Why OpenBSD is more secure than Linux
> > Author: Richard Johnson, the DataThief
> > 
> > Introduction
> > Well my mother just finished knitting me a new pair of asbestos
> > booties so I thought it was high time I try them out. Set phasers to
> > "flame". Please read the entire article before using them. Just
> > remember, I could have copped out by making the title something like
> > "Will Linux ever be as secure as OpenBSD?" or even "Which is more
> > secure, Linux or OpenBSD?". But I didn't. As well you should check out
> > the LASG/LSKB if you haven't already. I also know about ImmunixOS from
> > WireX and the NSA's SELinux (go read last week's column!).
> > 
> > The code
> > 
> > Let's face it, Linux is a great OS, I have more then a few machines
> > running it, but due to a number of factors it's never going to be as
> > secure as OpenBSD (which I also have running on several machines). But
> > Linux will never be as secure as OpenBSD, for technical, political and
> > marketing reasons. One of the most obvious differences between Linux
> > and OpenBSD (assuming you look under the hood a bit) is the fact that
> > OpenBSD has done an extensive code audit. The OpenBSD team has
> > literally spent dozens of man years of effort auditing code, not only
> > for security but for general correctness. Even the man pages for
> > OpenBSD are clean and consistent. This is a very proactive form of
> > security, OpenBSD fixes many problems before they become security
> > issues. No such form of extensive code audit exists in the Linux
> > world, and likely never will. Most vendors I have spoken with
> > typically have a small security team of less then a half dozen people
> > (usually much less). Even ignoring the fact that Linux vendors ship
> > many more packages as standard then OpenBSD (which tends to rely on
> > the ports collection for add on software) the basic components that
> > both Linux and OpenBSD have (kernel, command shells, system utilities,
> > etc.) are quite large, several hundred megabytes of source code in
> > total. There simply are not enough competent Linux programmers to do a
> > security audit on this code, let alone every vendor hiring enough
> > people to fix their own versions/etc. Even when vendors do do code
> > audits they typically face a problem, many programmers maintaining
> > software are indifferent, or even hostile to people sending them
> > security fixes, so it is very common for the original software to be
> > insecure, and the vendor must maintain their own patch set. This
> > problem affects OpenBSD far less as they maintain their own code base
> > now, and it has significantly diverged in many areas (ssh and OpenSSH
> > being a prime example). Even if Linux vendors wants to audit all their
> > code there aren't enough Linux programmers capable of doing this. This
> > means that Linux vendors are essentially doomed to reacting to
> > security problems, applying patches and shipping out fixed versions of
> > software, leaving users open to vulnerabilities for hours, days or
> > even weeks in some cases.
> > 
> > This is far more important then it sounds, even with additional
> > security products such as PitBull there may be ways for an attacker to
> > exploit some bug in the kernel that allows them to bypass add-on
> > security, this happened with PitBull for Solaris, PitBull was fine,
> > the Solaris kernel was not. Generally speaking add on security
> > products cannot completely protect the system, for example unless a
> > firewall product replaces the TCP-IP stack of an OS any problems in
> > the TCP-IP stack will still be exploitable.
> > 
> > 
> > Cryptographic software
> > 
> > This is an area where OpenBSD trounces Linux. OpenBSD not only ships
> > OpenSSL, OpenSSH, IPSec, and several other cryptographic software
> > packages, but they have actually been largely responsible for OpenSSH,
> > which is an incredibly important piece of software now. While many
> > Linux vendors do ship OpenSSL and OpenSSH there are several that do
> > not (Caldera being a notable example). However no major Linux vendors
> > ship IPSec support built in, while there is a project for Linux IPSec,
> > it is difficult at best to install and configure, and at worst almost
> > impossible (I know, I've used it). OpenBSD on the other hand ships by
> > default with one of the best IPSec implementations available. OpenBSD
> > also provides a different (better in many ways) key daemon, with
> > support for various forms of authentication, an area where FreeS/WAN
> > is weak. Additionally because the majority of Linux work is done from
> > within the US (Linus Torvalds now lives there) there is almost no
> > cryptographic support built into the Linux kernel. If you want to add
> > crypto you must patch the kernel and rebuild it. Very few vendors, if
> > any at all any (I'm not aware of a single one), ship any crypto built
> > into the kernel such as IPSec support, or any form of cryptographic
> > hooks (however many do ship OpenSSL/OpenSSH and other cryptographic
> > components). Because OpenBSD is done from Canada, the export of public
> > domain (usually interpreted as OpenSource) is not a problem, giving
> > you out of the box support.
> > 
> > 
> > Cryptographic hardware
> > 
> > Yet another area where OpenBSD shines and Linux is almost completely
> > lacking. OpenBSD supports several cryptographic acceleration products,
> > allowing you to build very powerful (and cheap) IPSec gateways for
> > example. While there is some SSL acceleration hardware available for
> > Linux this is essentially an easy problem to solve (most web load
> > balancers can handle the encryption, and keep sessions organized
> > properly). There is as far as I know no IPSec capable hardware
> > acceleration products for Linux. As well OpenBSD is currently working
> > towards allowing hardware to accelerate other cryptographic software
> > such as ssh, which will become an increasingly large problem (how much
> > CPU would you have to add to a server to support 1000 users using ssh
> > instead of telnet?). As well with OpenSSH's support for large file
> > transfers (via scp and sftp) load on servers using the SSH protocol
> > will only increase.
> > 
> > On the cryptographic front OpenBSD has Linux beat, hands down. The
> > chances of Linux gaining this support is unlikely for a number of
> > reasons, US crypto export policy, and a lack of programmers that are
> > capable of writing the software to name a few. This is not something
> > that will change for a long time (if ever).
> > 
> > Happy customers
> > 
> > Linux vendors care about having happy customers. OpenBSD developers
> > don't. The Linux market has become a very competitive space, with
> > around a dozen "major" distributions, and literally dozens (if not
> > hundreds) of smaller players. The major distributions generally pursue
> > similar markets, home desktop users, corporate/educational desktop
> > users and corporate/educational servers. Almost every commercial
> > vendor has invested significant effort in graphical installation
> > programs, desktop software like Gnome and KDE, and other
> > usability/entertainment/productivity software. There is absolutely
> > nothing wrong with this, as more people use Linux the installation
> > must become easier, and things like word processors are needed.
> > However it means that Linux vendors have to spend a lot more effort
> > pleasing users, several distributions now ship on multiple CD's
> > because of all the add on software they include. Although customers
> > complain about security, very few will actually take a secure product
> > instead of an insecure product with more features (even if they may
> > not need those features). Unless a sizable portion of customers start
> > putting their money where their mouth is vendors will not change
> > significantly.
> > 
> > Secure by default
> > 
> > In comparison OpenBSD 2.8's install files (all of them) are just over
> > 90 megs, installed (with everything) it requires around 200 megs of
> > space. The only things enabled by default in OpenBSD are those that
> > the developers deem "safe". For example Telnet is disabled by default,
> > and OpenSSH is enabled. Sendmail is configured to run in local queue
> > mode, it can send mail but not receive (you must add the "-bd" option
> > in rc.conf to enable it). As OpenBSD's webpage puts it:
> > 
> > Four years without a remote hole in the default install!
> > 
> > Which is not something any Linux vendor can claim (or ever will in all
> > likelihood). A typical installation of Linux will result in a half
> > dozen or more network services being started, and while some vendors
> > are starting to improve it is unlikely many will since disabling
> > things results in frustrated users and increased support costs
> > (although one wonders about the cost of rebuilding machines after they
> > are broken into).
> > 
> > Summary
> > 
> > We need to teach people how to program well, and then maybe we can
> > teach them how to program securely. We then need these programmers to
> > either completely rewrite major portions of the software most Linux
> > vendors ship, or audit the existing stuff (in both cases a task that
> > is unlikely to be done). Since this is basically impossible we need to
> > look at other solutions. ImmunixOS and SELinux are two solutions to
> > this problem, and when installed, maintained and used correctly they
> > do help, a lot. However this will not benefit the vast majority of
> > Linux users. OpenBSD users on the other hand have an extremely clean
> > and secure code base to work from, that is proactively being audited
> > on a continuous basis. Linux has dug itself into a very deep hole, and
> > appears to be digging downwards at an ever faster rate. Even with add
> > on software like PitBull LX, or NSA's SELinux kernel modifications
> > there are still potential security holes that could allow an attacker
> > to bypass any Mandatory Access Controls, RBAC, Type Enforcement as was
> > the case with PitBull for Solaris (Solaris had a flaw that allowed
> > attackers to compromise the system despite PitBull). Without a high
> > level of assurance in the actual source code of the Linux kernel and
> > associated files there will always be a hint of doubt about the
> > security of the system as a whole. This is why Linux can never be as
> > secure as OpenBSD.
> > 
> > Reference links:
> > 
> > http://www.openbsd.org/ - OpenBSD
> > 
> > http://www.openbsd.org/security.html - OpenBSD security page
> > 
> > http://www.openbsd.org/crypto.html - OpenBSD crypto page
> > 
> > http://seifried.org/lasg/ - Linux Administrators Security Guide
> > 
> > 
> >            _____________________________________
> >           / Why can't those cheap bastards from \
> >           \ Bank of America pay bills on time?  /
> >            -------------------------------------
> >                 \                _
> >                  \              (_)
> >                   \   ^__^       / \
> >                    \  (oo)\_____/_\ \
> >                       (__)\       ) /
> >                           ||----w ((
> >                           ||     ||>>
> > 
> > About iDEFENSE:
> > iDEFENSE is a global security intelligence company that proactively
> > monitors sources throughout the world from technical vulnerabilities
> > and hacker profiling to the spread of viruses and other malicious code.
> > iALERT, our security intelligence service, provides decision-makers,
> > frontline security professionals and network administrators with timely
> > access to actionable intelligence and decision support on cyber-related
> > threats. We are currently trying for complete market dominance and hope
> > to soon eliminate the Carlyle Group by any means necessary.  We already
> > have stolen their webdesign - their customer base is next.  For more
> > information, visit http://www.idefense.com, or our research team's
> > official website at http://idefense.bugtraq.org.
> > 
> > -- 
> > Richard Johnson, CISSP
> > Senior Security Researcher
> > iDEFENSE Inc.
> > thief@...traq.org
> > 
> > Get paid for security stuff!!!!!!
> > http://www.idefense.com/contributor.html
> > 
> > and become part of our reearch team!
> > http://idefense.bugtraq.org/
> 
> Brian Toovey
> igxglobal
> 389 Main Street Suite 206
> Hackensack, NJ 07601
> Ph: 201-498-0555x2225
> btoovey@...global.com
> 
> Subscribe to the igxglobal Daily Security Briefing
> http://www.igxglobal.com/dsb/register.html
> 
> igxglobal announces Daily Security Briefing newsletter
> http://www.prweb.com/releases/2004/5/prweb123759.htm
> 
> 
> The electronic message that you have received and any attachments are solely intended for the use of the addressee(s) and may contain information that is confidential. If you receive this email in error, please advise us by responding to NOC@...global.com. You are required to delete the contents and destroy any copies immediately.
> igxglobal is not liable for the views expressed in this electronic message or for the consequences of any computer viruses that may be unknowingly transmitted within this message. This electronic message is also subject to standard copyright/ownership laws. It is not intended to be reproduced, or re-transmitted without the consent of the originator.
> 
> 
> 
> 
> 
> 
> 

-- 
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@...traq.org

Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html

and become part of our reearch team!
http://idefense.bugtraq.org/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ