Damn Vulnerable Linux — Most Vulnerable Linux Ever 227
An anonymous reader writes "Usually, when installing a new operating system, the hope is that it's as up-to-date as possible. After installation there's bound to be a few updates required, but no more than a few megabytes. Damn Vulnerable Linux is different; it's shipped in as vulnerable a state as possible. As the DVL website explains: 'Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn't built to run on your desktop – it's a learning tool for security students.'"
Re:Security study DVL (Score:3, Interesting)
Heheh, previous story says:
"More than a year after Microsoft issue a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7."
what about a weird-arch linux? (Score:5, Interesting)
Like something with 16bit chars and ints, non-0 NULLs... Perhaps running under an emulated invented weird architecture with strange byte order (non-LSB/MSB) and weird alignment issues.
I wonder how many software would break.
Re:what about a weird-arch linux? (Score:5, Interesting)
architecture with strange byte order (non-LSB/MSB)
You mean like the PDP-11 [wikipedia.org]?
0x11223344 was stored in memory as 0x33 0x44 0x11 0x22
Re:Or (Score:5, Interesting)
Re:How long ? (Score:3, Interesting)
A while back, IIRC, there was a story about the different ways that vulnerabilities are counted in Linux vs. Windows. There have been various MS-sponsored "studies" which sum the total number of vulnerabilities for all distros, so that if, for instance, the same vulnerability exists in Debian and Fedora, it's counted twice. (Likely much more than twice, since if it's in Debian, it's probably in all the Ubuntus too.) Meanwhile, of course, Windows vulnerabilities only get counted once. So don't be at all surprised to see stories along the lines of "5000 new Linux vulnerabilities discovered!" coming from the astroturfers soon.
Re:Wait, so I shouldn't have used that at work? (Score:3, Interesting)
Pretending you are secure using DSL is just stupid.
Your PC will be owned in 24h or less(how many rootkits are installed by default?). My web and ssh servers get attacks searching for common vulnerabilities constantly since the day I started them and they aren't even live yet. If they had been running any vintage version of Linux it would have been automatic pwnage.
I wonder if streaming a Tb or two of good quality PRNG data into a bot or a "security researcher"'s computer would get me into any problems. They always seem so sad when they find nothing to grab. They are the ones making the HTTP or SSH request it's not my fault they discover my RNG server ;)
Re:what about a weird-arch linux? (Score:4, Interesting)
If you are feeling really insane, some UNIX operating systems can dispense with root altogether, even past having it disabled for logins (like how OS X has it present but not usable until explicitly turned on). AIX 6.x has the ability to completely chuck root (where stuff running as UID 0 is essentially running as nobody with no privs whatsoever), and what would have been handled by the superuser is handed off to other users as roles. Of course, if a critical role isn't defined before root gets stripped of its mantle of rulership, well, have fun rebooting to install media or to a NIM server and fixing that.
Some UNIX variants don't care a bit if the user root is renamed. Others will choke and give up the ghost. Ideally it would be nice to rename the root user (and put a dummy user named root just for kicks, similar to how Windows admins worth their salt have a bogus Administrator user with insane amounts of logging enabled), but it is hard to tell which UNIX variants don't care, and which will be really unhappy.
Maybe the best of all worlds is to have SELinux-like ACL policies be made into an easier pill to swallow. For example, a Web browser should not have access to a user's .xinitrc, .profile, .bashrc, or other files. If a policy enforces this, even if a Web browser is completely compromised, there is no way a blackhat can install software running in the browser's context that would start on a login, nor even with a valid su or sudo password, would ever get to a "#" prompt. By focusing on isolating applications, a system can be partially compromised, but not completely taken over, unless the security problem lies in a critical subsystem like ssh/sshd where it really can't be put into a fenced in playground.
As for obfuscation, it does work against script kiddies, but a blackhat worth his salt will eventually go through the IP range and find that one randomly named server is listening on port 80 and 443, and communicating with some other box via some ports that are usually for Oracle. Security through obscurity is not a good solution in the long run.
Re:Or (Score:2, Interesting)
That's not the point. The point is that if you actively download and run random stuff from the web, it doesn't tell much about the security of the OS if you get lots of malware.
However, I can imagine that the first sort of widespread malware on Linux will be cross-platform Firefox extensions. It shouldn't be too hard to write an extension that does something users want, but also contain some malicious code. That code would have full access to anything you browse, including your banking site and all passwords to various web sites, and it could silently send that data to an arbitrary place, or silently manipulate it. If the extension is otherwise useful, people may install it. For example, how many people have inspected the source of NoScript before they installed it? And of every update as well? I haven't. I installed it because it has functionality I want, I've read lots of recommendations, it has lots of users, and it is on the official Mozilla add-on site. Also the fact that this add-on is quite complex and very actively maintained and developed is IMHO a indication that it's not just a way to introduce malware. However, what if someone would manage hack the web site and push a slightly modified version as update? Note that this would hit exactly those people who are least likely to get other malware.
There's a reason why I created a second profile in Firefox where absolutely no extensions are installed. That's what I use for online banking.
Re:Wait, so I shouldn't have used that at work? (Score:0, Interesting)
So all anyone really wants to know after reading your post is: "Are you a simply an ignorant moron, or are you a troll as well?"
Re:Wait, so I shouldn't have used that at work? (Score:3, Interesting)
A few years ago, around 2006/7, I worked in a (UK) school doing IT support. One of the guys in the science department was some kind of Linux geek. He had a Red Hat server running on the school network for some reason or other, I forget what, and he had requested and been given an external IP address on the network so that he could get in from home and do... whatever.
So, one day the big talk is that the local education authority, who provided the Internet connection, have been getting calls from the US Department of Defence wanting to know why they're getting hundreds of thousands of hits to some of their servers from this address block. The education authority traced it to the school and we traced it to this guys Red Hat server and pulled the plug. I didn't get a good look at it, but it was running a 2.4 kernel well into the 2.6 days, so I'm guessing there were plenty of other things that were out of date on there.
I don't know whether you'd lay the blame on the science teacher or the admin who let him put that box on the network with an external IP address and then didn't spot oodles of outgoing SSH attempts or whatever, but one way or another someone took it on trust that someone else knew what they were doing with Linux when they clearly didn't.