Forgot your password?
typodupeerror
Security Education Linux

Damn Vulnerable Linux — Most Vulnerable Linux Ever 227

Posted by timothy
from the in-context-it's-barely-vulgar dept.
An anonymous reader writes "Usually, when installing a new operating system, the hope is that it's as up-to-date as possible. After installation there's bound to be a few updates required, but no more than a few megabytes. Damn Vulnerable Linux is different; it's shipped in as vulnerable a state as possible. As the DVL website explains: 'Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn't built to run on your desktop – it's a learning tool for security students.'"
This discussion has been archived. No new comments can be posted.

Damn Vulnerable Linux — Most Vulnerable Linux Ever

Comments Filter:
  • by Anonymous Coward on Saturday July 17, 2010 @07:12PM (#32939760)

    Don't tell my boss.

    • by binarylarry (1338699) on Saturday July 17, 2010 @07:41PM (#32939922)

      Don't worry, it's still safer than the Windows servers you run.

      • Re: (Score:2, Insightful)

        by jellomizer (103300)

        Yes the random poke at Microsoft...
        Lets stay blind dumb and happy with our Linux.

        Linux isn't any more secure then Windows is. However Linux users like to get bragging rights because they release fixes to security glitches fixes (a good thing) much faster then Windows does. However security patches isn't the only thing...

        Usually the reason for most Vulnerabilities in Windows is due to stupid Administration. Being that windows is easier to maintain by the average joe, means that a lot of Windows Server Net

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          Pretending you are secure using DSL is just stupid.

          Your PC will be owned in 24h or less(how many rootkits are installed by default?). My web and ssh servers get attacks searching for common vulnerabilities constantly since the day I started them and they aren't even live yet. If they had been running any vintage version of Linux it would have been automatic pwnage.

          I wonder if streaming a Tb or two of good quality PRNG data into a bot or a "security researcher"'s computer would get me into any problems. They

        • by Pharmboy (216950)

          Come now, Microsoft has enough market share and billions of dollars that they don't really need you defending them. And as for security, the reason Linux is more secure than Windows has to do with the security model more than the actual software. Linux IS more secure than Windows, there is no doubt. People like to say it is because "People don't write viruses for Linux, just Windows" not realizing that it is much more difficult to write viruses/trojans for any Unix type system as it has security built in

          • 1. It isn't defending Microsoft it is trying to make sure the Linux Users are aware of the security to prevent them from being blind sided.
            2. Is it really that difficult to write a virus/trojan for linux... No not really... Most Linux distributions have a huge of scripts/python/perl code for a lot of the apps, at least to get them to start.
            So you make a script say a Python or Bash Script. That searches for files using find and grep that have the same interpreter you are using. Inject the Source for this sc

        • Re: (Score:3, Insightful)

          by Risen888 (306092)

          Being that windows is easier to maintain by the average joe

          Obviously it is not. It is easier to fuck up. That's a different thing altogether.

        • Re: (Score:3, Interesting)

          by Von Helmet (727753)

          A few years ago, around 2006/7, I worked in a (UK) school doing IT support. One of the guys in the science department was some kind of Linux geek. He had a Red Hat server running on the school network for some reason or other, I forget what, and he had requested and been given an external IP address on the network so that he could get in from home and do... whatever.

          So, one day the big talk is that the local education authority, who provided the Internet connection, have been getting calls from the US Dep

  • Or (Score:5, Funny)

    by Voulnet (1630793) on Saturday July 17, 2010 @07:13PM (#32939764)
    Or use a fresh install of XP.
    • Re:Or (Score:5, Funny)

      by Luckyo (1726890) on Saturday July 17, 2010 @08:07PM (#32940040)

      Ebola or AIDS. Choices!

      • by ultranova (717540)

        Ebola or AIDS. Choices!

        Ebola. You're either dead or cured within two weeks. With AIDS, you linger and die slowly for years, as well as spread the damn thing.

        In computer terms, a crash right away is better than a buffer overflow resulting in memory corruption and malware infection which makes your macine a part of a zombie network that keeps selling people illegal Viagra and spreading the infection. This is why managed environments are superior and should be used whenever possible.

        Ebola is better than AIDS,

    • Re:Or (Score:5, Interesting)

      by Co0Ps (1539395) on Saturday July 17, 2010 @08:07PM (#32940042)
      Seriously, I once attempted to see how long it would take to get a fresh install of XP hijacked on a virtual box. After about one hour of bad IE6 surfing on suspicious sites (would you like to download and run this? yes please) I had one or two pieces of malware installed that had taken over the computer completely, filling the screen with popups and disabling all kinds of system configuration tools.
      • Re:Or (Score:4, Insightful)

        by maxwell demon (590494) on Saturday July 17, 2010 @08:21PM (#32940094) Journal

        To be fair, if you download run random stuff from the web, your Linux computer isn't too secure either.

        • Re:Or (Score:5, Insightful)

          by tuxgeek (872962) on Saturday July 17, 2010 @09:41PM (#32940408)

          To be fair..
          most malware available for download on the web is designed to be run on windows
          It doesn't do anything much less run in linux

          Windows is such an easy target for exploit and success, it's everywhere and run by every bone-head idiot on the planet
          Linux on the other hand is most used by advanced individuals and can be very difficult to exploit making it a waste of time for the black hats, it can be done, but rarely successful

          • Re:Or (Score:5, Insightful)

            by bigstrat2003 (1058574) * on Saturday July 17, 2010 @10:53PM (#32940668)

            That's not the point. The point is that even if OS security were perfect, there would still be machines which were completely fucked. No amount of OS security will stop the user from wanting free kitten screen savers.

            This doesn't excuse vulnerabilities that do exist in operating systems, but since Co0Ps specifically mentioned that he/she was actively agreeing to download certain pieces of malware, it bears mentioning.

            • Re:Or (Score:5, Insightful)

              by rsborg (111459) on Sunday July 18, 2010 @02:35AM (#32941256) Homepage

              That's not the point. The point is that even if OS security were perfect, there would still be machines which were completely fucked. No amount of OS security will stop the user from wanting free kitten screen savers.

              You know, I'm going to get flamed to hell and back for this, but if you download (ie, buy a free app of) free kitten screensavers in iOS, you will likely have no security impact to your device... some (lots of) folks just can't be trusted outside walled gardens, and that's why Apple is doing so well.

            • Re:Or (Score:4, Insightful)

              by Co0Ps (1539395) on Sunday July 18, 2010 @05:36AM (#32941596)
              I have to disagree. If an OS had good security, just running an executable should not give it permission to disable system configuration and mess with system files. In XP if you had an administrator account (everyone did), even screensavers had full permissions. Yes, I surfed on possibly-malicious sites and opened possibly-malicious executables. After that, trying to open task manager gave me "Permission Denied". Also, If an OS has a PERFECT security model (which Linux hasn't), everything should be run sandboxed. In such an OS, you shouldn't be afraid of installing potentially malicious software, just like you're not afraid of visiting web pages with a secure web browser.
              • by boxwood (1742976)

                any OS thats usable is going to have susceptible to PBKAC. If the user is able to make and run executable, send and receive over the network, create and delete files, then malware is also going to have that ability. Yeah malware won't be able to mess with stuff in /usr/bin or /etc, but if can send out spam, delete all the files in your home directory, screw with your video settings, etc.

                Yeah, sure your linux system will reliably boot up no matter what a user does. But is anything going to work after the use

      • Re:Or (Score:5, Informative)

        by Culture20 (968837) on Saturday July 17, 2010 @10:30PM (#32940578)
        That's nothing. During the Blaster days, I stood by and let someone attach their computer to the network for updates after a clean install. It was an object lesson: Before she could navigate to windows update, it started rebooting again. Always update security patches from a known-safe medium.
        • Or at the very least, from behind a hardware firewall/router.

        • by Phroggy (441)

          NAT has only been the standard for about the last 10 years or so. Prior to that, a LOT of desktop PCs were connected directly to the Internet with publicly routable IPs and no firewall.

        • Re: (Score:3, Informative)

          by antdude (79039)

          I saw this happen with a 3 KB/sec dial-up connection too! It was nuts. My friend was wondering why his new XP Pro. downloads were so slow.

    • by causality (777677)

      Or use a fresh install of XP.

      Yeah but this is a learning distribution for security students. "Download this script-kiddie tool and point it at the XP machine's IP address" doesn't allow for much learning and understanding...

  • Big deal (Score:4, Funny)

    by Anonymous Coward on Saturday July 17, 2010 @07:13PM (#32939768)

    So it's like Fedora then.

    • Re:Big deal (Score:5, Insightful)

      by magsol (1406749) on Saturday July 17, 2010 @07:30PM (#32939868) Homepage Journal
      Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?
      • Re:Big deal (Score:5, Funny)

        by basscomm (122302) <{moc.skcosymmurc} {ta} {mmocssab}> on Saturday July 17, 2010 @07:39PM (#32939912) Homepage

        Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?

        You must be new here.

        • Re:Big deal (Score:5, Insightful)

          by keatonguy (1001680) <`keaton.prower' `at' `gmail.com'> on Saturday July 17, 2010 @08:21PM (#32940092)

          Don't be obtuse, he raises a good point. Linux is not infallible and shouldn't be treated as such even in light of it's advantages and the personal support we all have for it. Criticism breeds improvement. Keep that in mind, mods.

          • by DittoBox (978894)

            Constructive criticism said sans doucheiness breeds improvement.

            Criticism said to build oneself up breeds contempt.

            • A lack of exposure to criticisms breeds preciousness and a thin skin. Mods should also keep that in mind before sending a comment to -1 hell.

          • Re:Big deal (Score:5, Funny)

            by LynnwoodRooster (966895) on Saturday July 17, 2010 @09:55PM (#32940456) Journal
            Exactly. Everyone knows the only OS that gets to claim invulnerability is OSX...
          • Re:Big deal (Score:5, Insightful)

            by causality (777677) on Saturday July 17, 2010 @10:39PM (#32940606)

            Don't be obtuse, he raises a good point. Linux is not infallible and shouldn't be treated as such even

            Did it occur to you that the more experienced/advanced/technical users who tend to gravitate towards Linux are very much aware of this, that they administer their systems accordingly, and that this is in fact a big reason why successful malware "in the wild" is all but unheard-of on this platform? Compare to "buy the next version of Windows, it's easier and more secure than ever!" that carries the strong implication of "oh, security is someone else's problem". Not noticing or appreciating that difference would also be obtuse.

            What I am getting at is that there are both technical and cultural differences between the two platforms.

            • Did it occur to you that the more experienced/advanced/technical users who tend to gravitate towards Linux

              The proportion of naive users has grown a lot over the last few years, but the amount of malware has not (at least not in proportion)

          • by w0mprat (1317953)
            Agreed. So on the topic of infallibity, here's more criticism.
            1. Linux is still vulnerable through software the user runs. Vulnerabilities in popular browsers are still exploitable (Chromium, Firefox, Opera) etc. This doesn't give you low level access to the users system, but there is a helluva lot you can do once you've taken over a browser's running instance. (But Chrome has done a lot of work around sandboxing to address this).

            2. It's not necessary to have root to do a lot of damage - anything the us
          • But compared to Windows, it actually looks infallible. It’s like multiplying a very large number stored as floating point with a very small number. It won’t change the very small number because the small one is to small and it can’t compute. ^^

          • by http (589131)
            If criticism bred improvement, Windows would be so close to perfect it would bring you breakfast in bed. Criticism, and the inablility to hide the current source code tree from prying eyes, inspires improvement.
          • Re:Big deal (Score:5, Insightful)

            by CAIMLAS (41445) on Sunday July 18, 2010 @01:15AM (#32941078) Homepage

            Criticism, even if inaccurate?

            You can still run a multiple-year-old and barely-updated Linux distro on a public network and not fear being exploited. Sure, it can happen, but I'll be honest in saying the only times I've seen a Linux machine exploited was when it was horribly out of date (2.0 kernel in the early 2.6 kernel days) and was running samba... on a public network. That said, the exploit employed was over 6 months old at the time when the machine got exploited.

            Unless you're running a PHP based CMS or the like, it's pretty uncommon for a Linux machine to get exploited. PHP = bad.

          • You're right, it's not infallible. If a (l)user falls prey to the Dancing Bears Problem, their machine is going to be just as r00ted as the Windows box sitting next to it.

            What Linux has is (relative) obscurity and a decent security model. Want to change a system setting? Root password pls. Want to install software in /usr or /opt? Root password pls. You get the picture.

            The issue is that Windows makes it impossible to get any real work done (besides word-processing and that sort of thing) on a standard User

            • Re: (Score:3, Informative)

              You know that Windows Vista and Windows 7 were released which by default run the user as a limited user, and prompt for elevation when needed.
          • by selven (1556643)

            Well, to be fair, the statements about Windows and Fedora weren't really criticism, they were jokes playing to the common meme of Windows being insecure and the far less common meme of Fedora being insecure (that's why the Fedora joke got modded troll until someone came along and yelled at the mods).

      • Because Fedora is no laughing matter.

      • Re: (Score:3, Insightful)

        by causality (777677)

        Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?

        That has since been modded some more and now sits at +4 Funny at the time of this post.

        Had he denigrated Apple or its products, it would have gone down to -1 and remained there.

      • Because windows sucks and we all know it as fact?
      • by mangu (126918)

        Why is the OP - who is denigrating a Linux distro - modded a Troll, whereas the poster above him - denigrating Windows - modded as Funny?

        Because a fresh Fedora install is orders of magnitude safer than a fresh Windows install.

      • Re: (Score:3, Informative)

        by JonJ (907502)
        Ugh, I'm gonna undo all my mod points for this but... Fedora is on the bleeding edge, it has never been about stuffing the distro with old and vulnerable software. The comparison is so far off it's not even funny. If he'd said 'Debian Stable' I might've seen the humor in it, but using Fedora is a really poor example. So he's not only a troll, but a stupid one at that. And it's really annoying seeing all the hate Fedora and Red Hat gets here on /. even if they do amazing work for both servers and desktops. I
  • Great Learning Tool (Score:5, Informative)

    by bytethese (1372715) on Saturday July 17, 2010 @07:22PM (#32939806)
    We used it in my Forensic Computing masters program in some classes, definitely useful in our Network Security and Architecture of Secure Operating Systems classes to show what can happen with buffer overflows, gaining root access, etc.
  • by GNUALMAFUERTE (697061) <.moc.liamg. .ta. .etreufamla.> on Saturday July 17, 2010 @07:25PM (#32939836)

    A notable team of security researches are suggesting windows users migrate to a platform known as DVL. "DVL is a mess. It is vulnerable to a variety of attacks, but it is still more secure than the average windows install". Another researched pointed "Windows users must migrate to DVL immediately, in order to protect their computers".

    While several independent research groups are considering DVL as a valuable alternative to windows, Microsoft didn't stay behind, and promised to use DVL as the base of Windows 8, the upcoming version of windows. A spokesperson for Microsoft notified that microsoft decided to use DVL after thoroughly analyzing it, "It provides a great building block for the next release of our greatest product, DVL certainly fits like a glove within our strict security and QA policies".

    Windows 8: DVL Edition, the most secure windows version ever released, is scheduled to hit the shelves next summer.

    • Re: (Score:3, Interesting)

      by GNUALMAFUERTE (697061)

      Heheh, previous story says:

      "More than a year after Microsoft issue a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7."

    • Re: your sig...Try reading this one, instead...

      Structured Procrastination [structured...nation.com]

      • Very interesting. Thanks for the link.

        I am an awful procrastinator, but I do get things done, usually in a very similar fashion to the one explained in the link, many times even staying on-project. I usually split up projects into its parts, and when I get bored and try to avoid writing complex functions, I do interface work, or write a generic library to do $task, and generally procrastinate within a project by doing other parts that are not the major work that I had pending at the moment. This proves even

  • How long ? (Score:5, Funny)

    by Pelekophori (1045104) on Saturday July 17, 2010 @07:28PM (#32939854)

    till Microsoft uses it in get the facts comparisons?

    • by xs650 (741277)
      When I read the title I thought Microsoft was releasing a version of Linux.
    • Re: (Score:3, Interesting)

      A while back, IIRC, there was a story about the different ways that vulnerabilities are counted in Linux vs. Windows. There have been various MS-sponsored "studies" which sum the total number of vulnerabilities for all distros, so that if, for instance, the same vulnerability exists in Debian and Fedora, it's counted twice. (Likely much more than twice, since if it's in Debian, it's probably in all the Ubuntus too.) Meanwhile, of course, Windows vulnerabilities only get counted once. So don't be at all

  • by keeboo (724305) on Saturday July 17, 2010 @07:38PM (#32939906)
    Something philosophically similar which could be created is some sort of "weird arch" Linux for code debugging purpuses.
    Like something with 16bit chars and ints, non-0 NULLs... Perhaps running under an emulated invented weird architecture with strange byte order (non-LSB/MSB) and weird alignment issues.
    I wonder how many software would break.
    • by sconeu (64226) on Saturday July 17, 2010 @07:50PM (#32939970) Homepage Journal

      architecture with strange byte order (non-LSB/MSB)

      You mean like the PDP-11 [wikipedia.org]?

      0x11223344 was stored in memory as 0x33 0x44 0x11 0x22

    • by ls671 (1122017) *

      > Something philosophically similar

      Maybe, but for me "weird arch" Linux equals security through obfuscation. I know it doesn't qualify as real security but "security through obfuscation" has saved our asses a few times against zero-day exploit or more like "less than 1 day exploits" I should say. In our case, "obfuscation" is just using custom configurations, chrooting things, using reverse proxies and limiting reachable URL. etc.

      Just changing the default admin username on things like MySql, FreePBX, Joo

      • by afabbro (33948)

        > Something philosophically similar

        Maybe, but for me "weird arch" Linux equals security through obfuscation.

        The grandparent was not discussing security at all, but rather a distro "for code debugging purposes". I know you just learned about security by obscurity and how to modify /etc/passwd from reading a blog today and can't wait to use this new knowledge, but your multi-paragraph was kind of silly.

      • by mlts (1038732) * on Sunday July 18, 2010 @03:40AM (#32941384)

        If you are feeling really insane, some UNIX operating systems can dispense with root altogether, even past having it disabled for logins (like how OS X has it present but not usable until explicitly turned on). AIX 6.x has the ability to completely chuck root (where stuff running as UID 0 is essentially running as nobody with no privs whatsoever), and what would have been handled by the superuser is handed off to other users as roles. Of course, if a critical role isn't defined before root gets stripped of its mantle of rulership, well, have fun rebooting to install media or to a NIM server and fixing that.

        Some UNIX variants don't care a bit if the user root is renamed. Others will choke and give up the ghost. Ideally it would be nice to rename the root user (and put a dummy user named root just for kicks, similar to how Windows admins worth their salt have a bogus Administrator user with insane amounts of logging enabled), but it is hard to tell which UNIX variants don't care, and which will be really unhappy.

        Maybe the best of all worlds is to have SELinux-like ACL policies be made into an easier pill to swallow. For example, a Web browser should not have access to a user's .xinitrc, .profile, .bashrc, or other files. If a policy enforces this, even if a Web browser is completely compromised, there is no way a blackhat can install software running in the browser's context that would start on a login, nor even with a valid su or sudo password, would ever get to a "#" prompt. By focusing on isolating applications, a system can be partially compromised, but not completely taken over, unless the security problem lies in a critical subsystem like ssh/sshd where it really can't be put into a fenced in playground.

        As for obfuscation, it does work against script kiddies, but a blackhat worth his salt will eventually go through the IP range and find that one randomly named server is listening on port 80 and 443, and communicating with some other box via some ports that are usually for Oracle. Security through obscurity is not a good solution in the long run.

    • by deniable (76198)
      Well, let's see it breaks things. We'll call it Sid. Oh, damn. At a higher level, play with things like file permissions and see what kind of helpful error messages you get. Making developers watch their work tested in a toxic environment may be eye opening.
    • by chgros (690878)

      Well, POSIX requires CHAR_BIT to be 8, so if you change that it's normal if it breaks.
      But otherwise to test portability this seems interesting, although it would be most interesting if it could detect when something isn't done right.
      Most importantly though, you'd need a compiler to target this architecture.
      For instance, NULL being 0 is usually not part of the computer architecture itself; 0 is addressable on x86, causing this bug:
      http://lwn.net/Articles/341773/ [lwn.net]

    • Your imagination is weak! How about...

      • dog-eat-dog multi-tasking (who can grab the most resources, wins), with the kernel running in the outmost shell, being dominated by the apps
      • 9 bit “bytes”/chars, non- IEEE floating point with a structure that makes no fuckin sense at all, +INF and +0 being the same, but no -INF existing, overflow and underflow resulting in bitshifts, 27 bit words, with a fractal-reversion BIT (not byte) ordering that looks more like enryption than the same data,
      • pointers havi
  • by ls671 (1122017) * on Saturday July 17, 2010 @07:58PM (#32939998) Homepage

    We are working on a honey pot module for Damn Vulnerable Linux, it should be coming out soon ;-)

    Basically log all activity to a network server while hiding the fact that we are doing it. Just refresh from a fresh image once in a while. Once an intruder is noticed, we can give him as many rights as we want in real time, especially with regards to network connectivity, which is done at the firewall level. It is a nice way to get a good grip of what is running in the wilderness of the internet. If you are lucky enough, you can even learn about unpublished exploits although I would use a up to date distro to specifically discover these.

  • This will bring Linux to the desktop!

  • by ducomputergeek (595742) on Saturday July 17, 2010 @08:46PM (#32940194)

    would it be ClosedBSD?

  • What did Consumer Reports say about DVL? I predict its either "No thanks, we'll pass, not vulnerable enough." or "Excellent! The most vulnerable OS yet!"
  • by Tracy Reed (3563) <treedNO@SPAMultraviolet.org> on Saturday July 17, 2010 @10:03PM (#32940486) Homepage

    You just know MS is going to count the vulnerabilities in this distro against Linux just like how they count one vulnerability which affects 10 distros as 10 vulnerabilities because 10 warnings get sent out.

  • Semi-dupe (Score:5, Insightful)

    by Improv (2467) <pgunn@dachte.org> on Saturday July 17, 2010 @11:11PM (#32940724) Homepage Journal

    This was in the list of "most interesting linux distros" posted here maybe two weeks ago. Sigh.

  • Now they have something they can favorably compare themselves against!

    "This Linux has all these bugs in it and they haven't repaired ANY of them!"

  • by kolbe (320366)

    At my last job, the "boss" was too cheap to purchase a descent VPN solution (I later convinced him to buy a Cisco ASA5520), so I deployed a series of IPCop servers... one as a firewall and one as a VPN server. Between the firewall and VPN Server I had fronted an old Pentium 2 based Windows 2000 server in the DMZ to give the appearance that an attacker, had they gotten through, would have figured they hit the "honeypot". I ran this configuration for almost a year and had one attacker get through because I ha

The test of intelligent tinkering is to save all the parts. -- Aldo Leopold

Working...