[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] iDEFENSE: Security Whitepaper on Trusted Computing Platforms

no.

On Mon, May 10, 2004 at 09:53:53AM -0400, Brian Toovey wrote:
> is this not the same person who misrepresented an openssh vuln last week?
> 
> On May 10, 2004 09:42 AM, Richard Johnson <thief@xxxxxxxxxxx> wrote:
> 
> > 
> > iDEFENSE: The Power of Intelligence : Current Intelligence Report
> > iSecurity Brief 05.10.04: Why OpenBSD is more secure than Linux
> > Author: Richard Johnson, the DataThief
> > 
> > Introduction
> > Well my mother just finished knitting me a new pair of asbestos
> > booties so I thought it was high time I try them out. Set phasers to
> > "flame". Please read the entire article before using them. Just
> > remember, I could have copped out by making the title something like
> > "Will Linux ever be as secure as OpenBSD?" or even "Which is more
> > secure, Linux or OpenBSD?". But I didn't. As well you should check out
> > the LASG/LSKB if you haven't already. I also know about ImmunixOS from
> > WireX and the NSA's SELinux (go read last week's column!).
> > 
> > The code
> > 
> > Let's face it, Linux is a great OS, I have more then a few machines
> > running it, but due to a number of factors it's never going to be as
> > secure as OpenBSD (which I also have running on several machines). But
> > Linux will never be as secure as OpenBSD, for technical, political and
> > marketing reasons. One of the most obvious differences between Linux
> > and OpenBSD (assuming you look under the hood a bit) is the fact that
> > OpenBSD has done an extensive code audit. The OpenBSD team has
> > literally spent dozens of man years of effort auditing code, not only
> > for security but for general correctness. Even the man pages for
> > OpenBSD are clean and consistent. This is a very proactive form of
> > security, OpenBSD fixes many problems before they become security
> > issues. No such form of extensive code audit exists in the Linux
> > world, and likely never will. Most vendors I have spoken with
> > typically have a small security team of less then a half dozen people
> > (usually much less). Even ignoring the fact that Linux vendors ship
> > many more packages as standard then OpenBSD (which tends to rely on
> > the ports collection for add on software) the basic components that
> > both Linux and OpenBSD have (kernel, command shells, system utilities,
> > etc.) are quite large, several hundred megabytes of source code in
> > total. There simply are not enough competent Linux programmers to do a
> > security audit on this code, let alone every vendor hiring enough
> > people to fix their own versions/etc. Even when vendors do do code
> > audits they typically face a problem, many programmers maintaining
> > software are indifferent, or even hostile to people sending them
> > security fixes, so it is very common for the original software to be
> > insecure, and the vendor must maintain their own patch set. This
> > problem affects OpenBSD far less as they maintain their own code base
> > now, and it has significantly diverged in many areas (ssh and OpenSSH
> > being a prime example). Even if Linux vendors wants to audit all their
> > code there aren't enough Linux programmers capable of doing this. This
> > means that Linux vendors are essentially doomed to reacting to
> > security problems, applying patches and shipping out fixed versions of
> > software, leaving users open to vulnerabilities for hours, days or
> > even weeks in some cases.
> > 
> > This is far more important then it sounds, even with additional
> > security products such as PitBull there may be ways for an attacker to
> > exploit some bug in the kernel that allows them to bypass add-on
> > security, this happened with PitBull for Solaris, PitBull was fine,
> > the Solaris kernel was not. Generally speaking add on security
> > products cannot completely protect the system, for example unless a
> > firewall product replaces the TCP-IP stack of an OS any problems in
> > the TCP-IP stack will still be exploitable.
> > 
> > 
> > Cryptographic software
> > 
> > This is an area where OpenBSD trounces Linux. OpenBSD not only ships
> > OpenSSL, OpenSSH, IPSec, and several other cryptographic software
> > packages, but they have actually been largely responsible for OpenSSH,
> > which is an incredibly important piece of software now. While many
> > Linux vendors do ship OpenSSL and OpenSSH there are several that do
> > not (Caldera being a notable example). However no major Linux vendors
> > ship IPSec support built in, while there is a project for Linux IPSec,
> > it is difficult at best to install and configure, and at worst almost
> > impossible (I know, I've used it). OpenBSD on the other hand ships by
> > default with one of the best IPSec implementations available. OpenBSD
> > also provides a different (better in many ways) key daemon, with
> > support for various forms of authentication, an area where FreeS/WAN
> > is weak. Additionally because the majority of Linux work is done from
> > within the US (Linus Torvalds now lives there) there is almost no
> > cryptographic support built into the Linux kernel. If you want to add
> > crypto you must patch the kernel and rebuild it. Very few vendors, if
> > any at all any (I'm not aware of a single one), ship any crypto built
> > into the kernel such as IPSec support, or any form of cryptographic
> > hooks (however many do ship OpenSSL/OpenSSH and other cryptographic
> > components). Because OpenBSD is done from Canada, the export of public
> > domain (usually interpreted as OpenSource) is not a problem, giving
> > you out of the box support.
> > 
> > 
> > Cryptographic hardware
> > 
> > Yet another area where OpenBSD shines and Linux is almost completely
> > lacking. OpenBSD supports several cryptographic acceleration products,
> > allowing you to build very powerful (and cheap) IPSec gateways for
> > example. While there is some SSL acceleration hardware available for
> > Linux this is essentially an easy problem to solve (most web load
> > balancers can handle the encryption, and keep sessions organized
> > properly). There is as far as I know no IPSec capable hardware
> > acceleration products for Linux. As well OpenBSD is currently working
> > towards allowing hardware to accelerate other cryptographic software
> > such as ssh, which will become an increasingly large problem (how much
> > CPU would you have to add to a server to support 1000 users using ssh
> > instead of telnet?). As well with OpenSSH's support for large file
> > transfers (via scp and sftp) load on servers using the SSH protocol
> > will only increase.
> > 
> > On the cryptographic front OpenBSD has Linux beat, hands down. The
> > chances of Linux gaining this support is unlikely for a number of
> > reasons, US crypto export policy, and a lack of programmers that are
> > capable of writing the software to name a few. This is not something
> > that will change for a long time (if ever).
> > 
> > Happy customers
> > 
> > Linux vendors care about having happy customers. OpenBSD developers
> > don't. The Linux market has become a very competitive space, with
> > around a dozen "major" distributions, and literally dozens (if not
> > hundreds) of smaller players. The major distributions generally pursue
> > similar markets, home desktop users, corporate/educational desktop
> > users and corporate/educational servers. Almost every commercial
> > vendor has invested significant effort in graphical installation
> > programs, desktop software like Gnome and KDE, and other
> > usability/entertainment/productivity software. There is absolutely
> > nothing wrong with this, as more people use Linux the installation
> > must become easier, and things like word processors are needed.
> > However it means that Linux vendors have to spend a lot more effort
> > pleasing users, several distributions now ship on multiple CD's
> > because of all the add on software they include. Although customers
> > complain about security, very few will actually take a secure product
> > instead of an insecure product with more features (even if they may
> > not need those features). Unless a sizable portion of customers start
> > putting their money where their mouth is vendors will not change
> > significantly.
> > 
> > Secure by default
> > 
> > In comparison OpenBSD 2.8's install files (all of them) are just over
> > 90 megs, installed (with everything) it requires around 200 megs of
> > space. The only things enabled by default in OpenBSD are those that
> > the developers deem "safe". For example Telnet is disabled by default,
> > and OpenSSH is enabled. Sendmail is configured to run in local queue
> > mode, it can send mail but not receive (you must add the "-bd" option
> > in rc.conf to enable it). As OpenBSD's webpage puts it:
> > 
> > Four years without a remote hole in the default install!
> > 
> > Which is not something any Linux vendor can claim (or ever will in all
> > likelihood). A typical installation of Linux will result in a half
> > dozen or more network services being started, and while some vendors
> > are starting to improve it is unlikely many will since disabling
> > things results in frustrated users and increased support costs
> > (although one wonders about the cost of rebuilding machines after they
> > are broken into).
> > 
> > Summary
> > 
> > We need to teach people how to program well, and then maybe we can
> > teach them how to program securely. We then need these programmers to
> > either completely rewrite major portions of the software most Linux
> > vendors ship, or audit the existing stuff (in both cases a task that
> > is unlikely to be done). Since this is basically impossible we need to
> > look at other solutions. ImmunixOS and SELinux are two solutions to
> > this problem, and when installed, maintained and used correctly they
> > do help, a lot. However this will not benefit the vast majority of
> > Linux users. OpenBSD users on the other hand have an extremely clean
> > and secure code base to work from, that is proactively being audited
> > on a continuous basis. Linux has dug itself into a very deep hole, and
> > appears to be digging downwards at an ever faster rate. Even with add
> > on software like PitBull LX, or NSA's SELinux kernel modifications
> > there are still potential security holes that could allow an attacker
> > to bypass any Mandatory Access Controls, RBAC, Type Enforcement as was
> > the case with PitBull for Solaris (Solaris had a flaw that allowed
> > attackers to compromise the system despite PitBull). Without a high
> > level of assurance in the actual source code of the Linux kernel and
> > associated files there will always be a hint of doubt about the
> > security of the system as a whole. This is why Linux can never be as
> > secure as OpenBSD.
> > 
> > Reference links:
> > 
> > http://www.openbsd.org/ - OpenBSD
> > 
> > http://www.openbsd.org/security.html - OpenBSD security page
> > 
> > http://www.openbsd.org/crypto.html - OpenBSD crypto page
> > 
> > http://seifried.org/lasg/ - Linux Administrators Security Guide
> > 
> > 
> >            _____________________________________
> >           / Why can't those cheap bastards from \
> >           \ Bank of America pay bills on time?  /
> >            -------------------------------------
> >                 \                _
> >                  \              (_)
> >                   \   ^__^       / \
> >                    \  (oo)\_____/_\ \
> >                       (__)\       ) /
> >                           ||----w ((
> >                           ||     ||>>
> > 
> > About iDEFENSE:
> > iDEFENSE is a global security intelligence company that proactively
> > monitors sources throughout the world from technical vulnerabilities
> > and hacker profiling to the spread of viruses and other malicious code.
> > iALERT, our security intelligence service, provides decision-makers,
> > frontline security professionals and network administrators with timely
> > access to actionable intelligence and decision support on cyber-related
> > threats. We are currently trying for complete market dominance and hope
> > to soon eliminate the Carlyle Group by any means necessary.  We already
> > have stolen their webdesign - their customer base is next.  For more
> > information, visit http://www.idefense.com, or our research team's
> > official website at http://idefense.bugtraq.org.
> > 
> > -- 
> > Richard Johnson, CISSP
> > Senior Security Researcher
> > iDEFENSE Inc.
> > thief@xxxxxxxxxxx
> > 
> > Get paid for security stuff!!!!!!
> > http://www.idefense.com/contributor.html
> > 
> > and become part of our reearch team!
> > http://idefense.bugtraq.org/
> 
> Brian Toovey
> igxglobal
> 389 Main Street Suite 206
> Hackensack, NJ 07601
> Ph: 201-498-0555x2225
> btoovey@xxxxxxxxxxxxx
> 
> Subscribe to the igxglobal Daily Security Briefing
> http://www.igxglobal.com/dsb/register.html
> 
> igxglobal announces Daily Security Briefing newsletter
> http://www.prweb.com/releases/2004/5/prweb123759.htm
> 
> 
> The electronic message that you have received and any attachments are solely 
> intended for the use of the addressee(s) and may contain information that is 
> confidential. If you receive this email in error, please advise us by 
> responding to NOC@xxxxxxxxxxxxxx You are required to delete the contents and 
> destroy any copies immediately.
> igxglobal is not liable for the views expressed in this electronic message or 
> for the consequences of any computer viruses that may be unknowingly 
> transmitted within this message. This electronic message is also subject to 
> standard copyright/ownership laws. It is not intended to be reproduced, or 
> re-transmitted without the consent of the originator.
> 
> 
> 
> 
> 
> 
> 

-- 
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@xxxxxxxxxxx

Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html

and become part of our reearch team!
http://idefense.bugtraq.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html