Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Linux Software

PCWeek "Hack This Page" Cracked 258

mrflip writes "On September 20th, PCWeek announced a $1000 contest to be the first to hack either the linux or the NT server they set up. Well, four short days later, the linux box seems to have been compromised. The winner states "Hi guys, It's been a nice challenge, now send me the cash :)." He explained that the exploit was not a linux feature but was due to a closed source CGI script with improper security checks. " Going to require Solomonic ruling - the intent was to test the two OSes, and this is obviously not an OS test.
This discussion has been archived. No new comments can be posted.

PCWeek "Hack This Page" Cracked

Comments Filter:
  • These "hack this box" attempts are nothing more than publicity stunts, meant to satisfy a particular political agenda. They prove nothing technically.

    These stunts generally only attract script-kiddies... a population against which any reasonably competent sysadmin can protect themselves against with a fair amount of effectiveness no matter WHAT their OS is (yes, even NT).

    The type of cracker that doesn't go in for these cheap publicity shots is the type that you really need to be worried about anyway, and those crackers will penetrate your defenses no matter what you do to stop them.

    For an interesting read on the type I'm referring to, check out the 8 second crack [securityfocus.com] article on the internet auditing project. It's a long (but interesting read), the particularly juicy part is down in the Third week section.

    That kind of cracker doesn't particularly care which OS you're running, they'll drop you in your tracks no matter what.

    -- Gary F.
    • Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL, all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

    Something that I think a lot of people fail to forget is the fact that linux is not a desktop OS (yet). As things stand now, linux is a server. It doesn't "do" games linux windows, it doesn't "do" the common desktop things like windows does. Face it. In the area of mass induhvidual usage, windows has the market.

    But Dave! What of GNOME and KDE? I shall enlighten you. They are wonderful. They are ubercool. But have you ever tried to sit a newbie down in front of gnome and explain the concept of "multiple desktops" and the "pager" to 'em? The reason linux is harder to secure is because most distributions' default install starts up all sort of unrequired stuff, because, generally.. well, really, I have no idea why they start it up. When installing windows, you don't have to worry about a FTP server, or a NFS server, or a NIS/NIS+ server, or a DNS (would you like caching with that?) server, or a ...


    I want a rock.

  • That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it. -Alascom alascom@dc2600.com
  • >Question- if the same CGI script(s) were running on both systems, why didn't it fail on the NT system as well?

    They didn't run the same application on both servers.

    Here is a quote from a ZDNet [zdnet.com]

    On each of the servers we loaded similar applications. For NT, we developed a classified-ad engine based on a Microsoft Guestbook application. For Linux, the Labs chose Smart Photo Ads, a popular classified-ad engine for the platform. Both the NT and Linux apps have stored user names, which represent proprietary data and require sites to maintain a secure status.

    They go into other details on the page.

  • Seems to me that this is what linux advocates should want: direct, high-profile comparisons to NT. That's how you get mindshare. This won't be the last test like this. NT will "win" some, Linux will "win" some, there will always be arguments about how the test was conducted. But it will get people thinking that it's reasonable to speak of both OS's in the same breath.
  • by Alascom ( 95042 ) on Friday September 24, 1999 @10:25AM (#1661734)
    That rant of yours in very funny. Let me explain that securent.hackpcweek.com IS vulnerable. The problem isn't NT however, its in the HTML code on the server. Similarly, the Linux wasn't vulnerable, but the CGI script was. YES, SECURENT CAN BE HACKED. You heard it here first. The rules state: break into the system, modify pages, and/or steal user information. Well, according to those rules it can be broken. Let me explain. I examined the SECURENT html source and noticed several links to "www.hackpcweek.com.com" (notice the extra .com). Then I contacted Curt Connell with EDS who is Administrative contact for COM.COM. (Please don't call or bother him anymore). A simple 'A' record in the .com.com DNS server refering 'www.hackpcweek.com.com' to my own web server would allow me to steal user information. Whats more, the user would believe they were still on a real "pcweek" server seeing valid pcweek documents, allowing me to send malicious code, request confidential information, etc. Curt was unable to get "official" EDS permission to create the 'A' record, but the hack is valid and does exist. (Again, please do not bother Curt anymore). A simple goof in the HTML code renders the NT box 'hackable'. A side benefit is we circumvent the Firewall, IDS and other security features by just directing to another site. Oops. The NT 'IS' vulnerable to attack. In closing, don't consider an operating system insecure based on the applications (or HTML) thats on it. -Alascom alascom@dc2600.com
  • Maybe because there are no Mac servers out there?

  • That doesn't denote OS integration, it denotes a lack of cross platform availability. Don't confuse the issue.
  • by Anonymous Coward
    if the CGI script was owned by nobody than it is logical the webpage was also owned by nobody and possible had the permissions 4600, therefore, the CGI script had possible write access to the webpage.

    No, it's not logical at all. Why would you run a webserver as a different user and then chown all the files in htroot to that user's ID?

    What's the point? The idea is to do damage control and so the webserver's uid (nobody) shouldn't have any rights to do anything else.

  • Linux did not lose. A CGI script lost.

    --
  • Cool, someone else who noticed that. That's the bass thingie, I wondered why nobody seemed to have noticed this before.
    Last year, someone on alt.hackers.malicious bothered everyone when he posted his ip-adress and told the people they would not be able to hack him, because his nt-box was so secure. This happens always by someone who wants to get somone else in trouble, but this time it was really the guys own machine.
    Three day later he posted from a different os (w95) and told that someone had broken into his machine and wiped his hd. He continued to say that this guy had contacted him afterwards and that this guy was a security pro. The pro explained him that he didn't have any chance from the beginning, despite following all ms security advisories - thats the joy of black box systems...
  • NETWATCH.EXE
    It is in the NT Server Resource Kit.
    You can see who is accessing your (or anyone elses) files. Actually can be very useful.
  • come with those cgi scripts automatically installed? I don't think so, thus it is not a problem with an out of the box distro, but rather their (or someone elses) programming.
  • I quite agree. However, whereas this does not prove anything regarding Linux, it certainly does prove something regarding the Red Hat secure server as it was shipped until now (I guess there will be some updates in a near future)

    P.S. Any news regarding the 'RedHat Linux on NT' diagnostic by netcraft ?
  • by platinum ( 20276 ) on Friday September 24, 1999 @07:35AM (#1661752) Homepage
    A system's security is only as good as it's administrator.
  • by Anonymous Coward
    This has nothing to do with Unix security.Obviously the admin didn't bother to set up any security.

    Of course it has. With Inferno for instance you would have run the script with an empty name space (the script can only access to an empty directory and nothing out of this), and it won't matter if you are user sys, nobody, or god. You can achieve the same thing by doing a chroot on your script, but then your server need to be running as root, and some problems appears. Because chroot brings too much problems, it is not used as much as it should. Because Inferno namespaces are properly implemented, they would be the default on any server using CGI scripts. Security by correct design.

    If the script was running as "nobody", it would be nearly impossible to crack the system with it.

    First you are assuming that no setuid program is available that has problems (which I doubt). Second you are assuming that reading some files is not a problem, which I disagree (for instance, some files could hold password, used by other authentification CGI scripts, run as "nobody").

    You can make a Unix installation secure (with chroot, directory changes, etc...), but the problem is that you have to go through an exhaustive examination of possibilities (you must set all the directory/files user/group/public rights correctly, and check that all the scripts create files with proper rights). The problem is: everything that is not explicitly checked and forbidden might be exploitable. Compare with Inferno security, when you empty the namespace of a process: everything that you have not explicitly allowed is not doable. Unix is insecure by default, but can be secured by exhaustive review. This is not a good security model.

    Unix security could be better, but setting it up correctly would have prevented this crack.

    It should have been set correctly by default. It wasn't, because it is inconvenient, or not possible (the CGI author, doesn't know how 'nobody' is used on the host machine [could be used for printing, etc..]. Only the admin knows, and has to review everything).

  • Thanks for responding
    It must be tested
    Totally agree.
    I hope Linux comes out on top ...I sincerely believe that it will ...but it's my responsibility to be open to an alternate outcome.
    Okay, I was responding to one point in your post, we both know this, and I know that you didn't mean it quite the way it came out, but I still felt inspired. It's not often that I do that, well, at least as effectively.
    The most secure OS will win, and we ALL know that that hasn't come out yet.
    Linux isn't it, WinNT isn't it, Mac isn't it, BeOS isn't it(not much of a server even, but it's not made for that, which is another point, but I like mentioning my fav OS in any post:), FreeBSD isn't it.
    Any system that is turned on is insecure. We all know this. It's the first rule of computer security. However, all solutions must be tested fairly.
    I'm all for these competitions, not because today the NT folks come out on top and tomorrow Linux will, and so on, and their respective zealot users will still bicker and post on comp.os.*.advocacy. As long as the coders and testers and hackers (the survival of the fittest element) realize what's going on, I think these contests do nothing but help.
    For *'s sake, it's just an operating system!
    Just because I'd build a machine for my girlfriend and put windows on it doesn't mean windows is the end all/be all. Just cuz I'd choose Be as my desktop and Linux as my local server, doesn't mean anything!
    Security is everyone's buisiness, not just the NT or the *nix folks or the mac folks either. When one site gets hacked, there's something wrong, fix it, no matter the OS.
    This pesky OS battle shit is dumb and we all know it, even if we continue with our little Linux/Be/Win/Mac/BSD/Amiega/Unix/(brand new thing here), we need to get our heads out of our ass and realize that command prompt or mouse pointer, there's work to do.
    For some of us that's security and stability issues. For others it's just to type a memo, for others still it's the great american novel or CD of the year.
    Have a nice day.
  • by flatrock ( 79357 ) on Friday September 24, 1999 @07:35AM (#1661755)
    The test has some flaws. They should pay the winner, fix the faulty CGI script, and try again.

  • Referring to a single person of unknown gender as "they" is common slang but is not correct english.

    Or maybe it's just incorrect in the American dialect of English especially since the FAQ reference given is to an American site.
    Note that in English there is at least one other example of a supposedly plural pronoun being used as singular. Though you have to be the monarch to do so.
  • Unless both systems were running the same web server, and the same set of scirpts, the whole contest is really irrelivant. Until they install Apache on both boxes and choose a common scripting platform, they are wasting everyone's time.
  • For the same reason as I said above, as well as the fact that most Windows users probably wouldn't notice the fact that they'd been cracked. They can't simply type "w" and see who's logged in, and they're more used to seeing their computer slowing down and having the drives running for god-knows-what-reason. Last time I was using a cable modem, there were several dozen machines that would've been rather easy to get into because they had their drive shared without a password. Short of deleting all the files, how would any possibly know I was in their stuff? They wouldn't. And even if I deleted any of their files, without the logging present like there is under Unix, they wouldn't be able to figure out that it was an external user that wiped the files, and not some wierd glitch in the system.

    Actually, NT's file auditing features are great. The NT security model is very smooth on the small scale. I mean, within the server and for remote connections to the server. They're just not turned on by default... but neither are Linux's.

    Credit where credit is due. The fact of the matter is, unless this CGI hack managed to somehow dig out a root exploit from a non-privilidged account, this was not an OS bug. Linux as an operating system DOES protect against this sort of thing. There is no reason whatsoever that the files should have been capable of being modified by the user of the CGI application. The fact of the matter is that the operating system was not configured at all for security. They relied 100% on the CGI application to defend their files.

    A non-privilidged application had a bug in it which allowed someone to modify unprotected files. Quick, send out the CERT advisory!


  • Linux is not that easy to setup securely. And obviously, looking at the LONG list of non-standard changes made to the NT box, neither is NT.

    If you are making "non standard" changes with the idea of increasing security you had best know exactly what you are doing. Otherwise the most likely result is less security.

    Pay up to the guy that got in. Then fix the flawed CGI (or release the source so that somebody who's competant can), and run it again.

    Or if they don't want to release the source of the CGI ,remove all CGI's from both machines which arn't either standard or OSS
  • by Signal 11 ( 7608 ) on Friday September 24, 1999 @07:38AM (#1661761)
    cut to the next Jesse Burst article..

    ... It's the responsibility of the Operating System to ensure security. blah blah blah.. It is obvious that linux does not have Enterprise-level reliability. blah blah blah... blah blah.. IIS is better than Apache... blah blah... The problem here is that the user doesn't have access to a GUI, and thus can't see problems like this... blah blah blah... Of course Microsoft would have released a service pack by now - what does the Linux offer? A cryptic "patch" option. They should have an easy-to-upgrade "click here to compromise your security" feature like NT does... blah blah blah...tune in next week for 'Why I'm so cool, and you're so not.'

    --

  • I agree with your viewpoint on a typical Linux system shown to be less secure. I don't think this reflects on the OS or the principles behind it though.

    Rather, I believe that Linux can be at least as secure (and much more quickly fixed) as NT. As numerous people have mentioned, it is a matter of the people administering the system not taking the proper steps. But I don't think this necessarily reflects on them either. (Well, in the case of these "tests" I think it is sloppy. I'm talking about general use of the OSes.)

    My concern lately has been on user education. People have to know what they can do to improve their systems, that it is not the OSes fault but simply corrections that need to be made in the setup. I'm not sure about how this user education should occur, but I know it is important. Both Linux and MS zealots will use the latest error-filled results to push their platform, but the end user is not helped by choosing either of these without education about what each really entails.

    As far as your comment about no real OS existing anymore...Ok, I see your point. I see no backup for it, no reasoned explanation. You are right, I personally cannot recall an OS which was the epitome of user friendliness while incredibly powerful. And I agree that the future will have OSes that come closer and closer to that goal. Of course, I believe the future is whatever we make it, so I plan on pushing Linux towards that perfect blend.

    LoppEar.
  • You would be surprised, but I have seen MANY perl scripts that write a log to a file in a directory that has 755 or even 777 permissions. I actually do this myself when I develop them-and worry about the permissions later. So...this may not have been a case of bad CGI-but instead a case of bad implementation.
  • As a community, we need to ante up, acknowledge that this is something that needs to be worked on, and move on. Perhaps set up a challenge that requires a flaw in the OS to be exploited.

    I just have to think that if the same thing happened to the NT box, there would be no grumbles. A victory would be declared and any talk otherwise would be met with much flameage.

    Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.

    My .02
    Quux26
    http://www.intap.net/~j/ [intap.net]

    My .02
    Quux26
  • by Tarnar ( 20289 ) on Friday September 24, 1999 @07:39AM (#1661766) Homepage
    2 Things:

    #1, Absolutely nothing about NT or Linux itself.

    #2, A chain is only as strong as it's weakest link. In this case, the weakest link was a poor CGI.

    So where from here? Lets try it with a better CGI, maybe let everyone see the conf files or something.

    Or maybe PC Week should release all the conf files to the cracked box, so the Community can comment on what should/shouldn't be in there.
  • Write it this way: "While they didn't exploit an OS-specific hole" ...perfectly good English, and perfectly gender neutral

    Actually, the term "they" is plural, leading to a subject/verb disagreement. That really counts as slang and is commonly used, but it's improper English (my teacher jump on us for that). The only proper way to say it that I know of it "While he or she didn't exploit an OS-specific hole..."
  • by Signal 11 ( 7608 ) on Friday September 24, 1999 @07:40AM (#1661768)
    ... of course having an OS with holes big enough to drive a bus through doesn't help matters.

    --
  • Referring to a single person of unknown gender as "they" is common slang but is not correct english. "They" is always plural when used correctly.

    Many people argue that anything used widely enough becomes correct. This is true but I don't like it (although I don't have time to learn Latin... :-)

    From a practical standpoint, using "they" as singular makes a correctly singular noun sound incorrect, e.g. "Everyone was blowing their nose" vs. "Everyone was blowing their noses" - borrowed from the alt.english.usage FAQ [hp.com]. "Everyone" is singular, requiring the singular "nose", but "their nose" sounds strange...

    For information than you ever wanted on the topic of gender-neutral pronouns, see The Gender Neutral Pronoun FAQ [lumina.net].
  • A real test would have taken several Linux systems and several NT systems (not to mention the other players like FreeBSD, Solaris, etc) and load each one with a competing set of internet content technologies. Let people show how strong or weak THOSE TECHNOLOGIES are, and breakins across-the-board on one OS will show a generic OS weakness.

    The only problem is that this only shows the resiliance to script-kiddies. Most of the serious intruders (you know, the ones who do this kind of thing for PROFIT) would never be so stupid as to take part in such a contest. Plus most such intruders are INTERNAL, and end up using non-network based attacks (e.g. physical access, social engineering, etc). As the man said in "War Games [imdb.com]": "Mr. Potato Head! Back doors are not our secret!".

    There is a point of diminishing returns in tests like these, and I think those of us who have the source to our OSes in our grubby little hands know who's safer.... :-)
  • ahem.

    That's "MORE information than you ever wanted..."


  • Common usage is far from correct usage... Try watching daytime talk shows.
  • You can download and install IE5 seperately too. According to MS it is still 'integrated' and a part of the OS.

  • Open source CGI's are fine, if you don't need anything more than Matt Wright's guestbook -- if you're like the other 99% of the world that needs something genuinely useful, you'll have to put some nuts and bolts together. Proprietary code protects internal information. Would an honest person volunteer to help you work out a script for accessing a corporate database for free?

    Security through obscurity works, just don't depend on it as your first line of defense. If you don't know who's watching or where the loot is, there's really not much point of picking the lock.

    BTW, it's called "PC Weak"...
    --
  • by jcs ( 90508 )
    How can this be an accurate test of Linux vs. NT? Linux is just the kernel. The software (GNU or otherwise) is really what's at stake here. If you comprimise a CGI script, what difference does it make whether that script was running on Linux or OpenBSD? The system is still comprimised, and it didn't make any difference what operating system it ran on.

    This shouldn't be a Linux vs. NT battle. Make it an Apache vs. IIS battle (or Perl vs. ASP if you want) and leave the underlying operating system out of the whole mess. It just results in bad press for both parties (i.e., in the LinuxPPC contest, the NT server was never actually "hacked", yet it was down half the time which made it look bad.)
  • Sounds like a fair and empirical test to me: set up two boxes with customary tools and security measures, then let people try to hack them. The conclusion: Linux security needs work.
  • This is exactly what we have at my company. Better to have 3 web-servers OUTSIDE the firewall system, than to have to protect EVERY system inside it. I'm even (quickly) winning my boss over to Linux, I guess I live in a decent world after all.

  • Check the online PC Week archives at:

    http://www.zdnet.com/pcweek/filters/past/
  • For a flame-baiter, you sure have a hard time detecting flame-bait...
  • Not wanting to slate you or anything but as a scientist you should know that generally it is better to test and then draw conlusions than to set out to prove something with a test. Alot of this "monday morning quarter-backing" would be avoided if that was the approach used when setting up and observing tests.

    Point very well taken. What I mean to say is ...I'm open to admitting that my original premise was flawed. I also would like to point out that my original post was very poorly written.

    My .02
    Quux26
    http://www.intap.net/~j/ [intap.net]

    My .02
    Quux26
  • The comparison is completely valid. Not all of us are running Linux as a server. Personally, I use it as a development platform. Just because I'm not running Apache doesn't make my Linux box useless (gcc runs just fine).

    It's annoying to me that the default Redhat installation is to have all services running, so that it's relatively easy to hack into my system. When you install NT out of the box, it doesn't automatically install a web server, an FTP server, a telnet server (not that NT has telnet servers...)

    The point is, for newbies, Linux is insecure. You have to know *something* about network administration to protect your box, even if it means editing your startup scripts or your hosts.deny file. And, as more and more people use ADSL and cable modems (like me), there are more and more insecure Linux boxes out there.

    It's Redhat's fault, not Linux's. But it's still a "Linux" distribution issue.
    ---
  • They can't easily keep the good reporting out, but they can sure as hell put biased reporting in. Encouraging a novice to set up an NT and a Linux box for a security test is a no-brainer for MS. Out of the box, linux is pretty darn far from secure. It is our responsibility in such tests to crack both boxes, and secure the linux box.
  • As much as we may hate to admit, this does actually prove some weaknesses, not in linux, but in unix in general. The flexibility of the operating system allows it to be exploited easier in some situations. Since you can do basically anything to the machine from the command line, anything the possibly has access to the command line can do anything, as well if it is compromised.

    On NT, this isn't true. You have to use their little GUI to add users and such, so it would be pretty hard to actually be able to intrude the box by exploiting something like a CGI script. You may be able to erase files and things like that, but not actually get in and make yourself an account.

    So, basically, the reason Linux lost was because it is flexible and extremely controllable from a command prompt. Can Microsoft say anything like that about NT? This may lead to a loss in security, but I guess it just makes sure we do our homework when setting up remotely accessed services.
  • Another reason I wasn't really surprised was since most webservers run some form of *nix, most "hacks" are designed for *nix. If NT ever gets more webserver share, and more things worth getting into, more NT boxen will be compromised.

  • IIS is much more a part of the operating system than Explorer, which MS argued for weeks was a part of the server. And it is much more a part of the OS than Apache.

    You buy Windows NT *SERVER*. You can make it a file server, a domain server, a DHCP server, a WINS server, or an Internet server. If you want it to be an Internet server, you install IIS. IIS is supplied as part of the OS by Microsoft to all owners of NT Server ON THE INSTALL CD's (Apache happens to come with some distros, but it comes as part of the applications library, not as a part of the kernel or base install). It was created by the creators of NT Server (Apache != Linux). It integrates itself into the OS as a system service (Apache doesn't run in kernel space, and doesn't need Admin priviledges).

    Now, if you said Netscape Server, things would be different.
  • Why can't all the distros for Linux and perhaps all the Unices for that matter turn off those things that could are "MAJOR" security risks. Had a couple of Israelis put a sniffer on two Solaris boxes that weren't locked down very well on campus and therefore a whole zone of IPs had to change passwords because of it. Just no need for that sort of thing. Linux and all Unices should come locked down or close to it, then an FAQ explaining all the things that are turned off and why including the security risk they pose. Just one man's opinion.

    Hangtime
  • I couldn't agree more, Red Hat is a terrible distribution, I can't use it, and I have been using Linux for 3 years, primarily Slackware, but I have tried them all and Red Hat hits rock bottom by far.
  • The one thing that really pisses me off is that these people who can not even pass the muster as a small town reporter are too chicken to debate.

    I've challenged Jesse to debate me online and have never received an answer.

    Remember this... Jesse Berst and the like have NO ACCOUNTABILITY! They can say any strange, bizarre thing that pops into their challenged minds without the mildest shred of proof under the guise of journalism.

    They don't respond, nor do they take responsibility for their actions. Just typical arrogant Microsoft people.

    You do know of course that ZD-Net is essentially a Microsoft flunky. After all... They are owned by SoftBank, and SoftBank (based out of Buffalo, NY) does a LOT of technical support for Microsoft.

    I guess there is no such thing as conflict of interest, so they individual who has never touched Linux in his life, (jesse) can go right on saying what he is saying...

    Remember his little article on "Can you get fired for recommending Linux?" No case studies, no proof...just towing the Microsoft party line...


    Cheers,

    Nicholas

    PS: In case you haven't guessed a majority of so-called journalists are this way especially on the internet. If it is something they don't understand....oohhh..scary...let's talk bad about it...
  • I'm quoting this from the "hack this whatever its called" website: >>Finally, here's one last tidbit of information... pcweek is owned by Ziff-Davis publishing >>Excerpt from the ZD home page >>Ziff-Davis is a publicly traded company listed on the New York Stock Exchange >>(NYSE). A majority interest is owned by SOFTBANK CORPORATION. >>SOFTBANK is Japan's largest distributor of computer software... >>Excerpt from Microsoft's home page >>REDMOND, Wash. - March 24, 1999 - Microsoft Corp. today announced it has >>signed a memorandum of understanding to enter a joint venture with Softbank >>Corp. and Yahoo! Japan to create the Japanese version of the MSN CarPoint >>online service...The initial capital of the new company will be $7 million, with 50 >>percent of its common stock owned by Softbank, 40 percent by Microsoft and 10 >>percent by Yahoo! Japan. Masayoshi Son will be CEO and president of the new >>company... >>Excerpt from the ZD home page-- >>ZIFF-DAVIS INC. >>DIRECTORS AND EXECUTIVE OFFICERS >>Masayoshi Son >> Director Draw your own conclusions, free thinkers....
  • by Anonymous Coward
    A system's security is only as good as it's administrator.
    Although this is fundamentally true, we need to be careful making this argument, as it plays directly into Windows NT's marketing strategy.

    The fact is that all of Microsoft's recent success -- especially with respect to Windows NT -- can be attributed to the successful marketing of a single message:
    Any idiot can run Windows NT. It takes a genius to manage Unix.

    The appeal of this message to IT directors and CIOs is clear. MS has successfully planted the meme that a company can get more done with 2 green MSCEs at $35k per year than with one seasoned Unix admin at $75k per year.

    Of course, those of us who are in the trenches with NT and Unix on a day-to-day basis know that this argument is a load of fetid dingo's kidneys, but we're not the ones who make the enterprise architecture decisions... and Microsoft is taking full advantage of that fact.

    The challenge for the Linux and Unix community is to demonstrate the fallacy of Microsoft's message -- to show that "Wizards" and other GUI sleight-of-hand are not a substitute for knowledge and experience. How to do this? I don't know. NT directors and CIOs don't like to admit they've been snowed by crafty salesmen.

  • On what theory does an OS never allow anything to be done? Someone's got to be able to bring the system down so that someone can do something with the system. If that person is irresponsible, they're a problem. Handcuffing your users so that they can't do anything is not the solution.

    I'm not sure what happened, and the sight doesn't seem to say, but if they were running CGI input without checking it they're:
    a) Dumb
    b) Limited to what that CGI can do.

    If they configured their machine so that their CGI can do security leaks, what is the OS supposed to do, say "No, you can't do what you want. Go away and stop trying to be creative?"

    As many people have pointed out, an OS is only as secure as its weakest link. The person at the keyboard is a necessary link, so if they're your weakest link, you're in trouble. The same would go if this was just a bad asp script.

    You might be able to make an argument that the same sort of flexibility doesn't exist on NT and thus you can't do this sort of stuff. While that may be true, do remember that walking is generlaly safer than driving. When you can do more, you can also go wrong in more ways.

    It all boils down to know what you're doing. I forget who said it, but "If you make a device idiot-proof, nature will make a better idiot."
  • Well, if you're actually running your CGI scripts as root you're just asking someone to break you. By default, CGI scripts are run as the user nobody. Nobody owns no files, is part of no group, and has no login shell. In short, if they compromised a normal cgi script they shouldn't be able to do much more than fill /tmp up. That and read publically available files.

    And as soon as you can break into some code running as administrator (or the OS itself, that is something like a third of the code, isn't it?), you can just install BO or something like that and get some decent remote-administratability options.

    NT is no more inherently secure in a full security-breach than Linux is. In either case you're screwed if someone can compromise the superuser. And NT has plenty of services either running as administrator or in kernelspace. Can you even run a daemon-like service as a regular user under NT?
  • by k9-quaint ( 94011 ) on Friday September 24, 1999 @02:13PM (#1661828)
    Denial of service attacks. To which NT is nortoriously prone and to which Linux is not. I am not talking about packet storming, but rather boundary cases in the protocol stacks that cause crashes(BlueSoDs) and kernel panics.

    Since vanilla NT has virtually no remote administration or remote anything capabilities, it had a natural advantage in this test. Turn off NT File Serving, and you have to put machine code on the stack to change files (annoying and not worth $1000). On Linux, I could just root the machine and then enable telnet, configure the shell of my choice, set all my little aliases, and it would be just like home.

    IMHO, NT is more secure out of the box than most Linux distros. If you want perfect security, may I recommend a piece of wood (not as much functionality as NT, but very very secure).

  • by zempf ( 4454 ) <zempf.bigfoot@com> on Friday September 24, 1999 @07:42AM (#1661833) Homepage
    The rules [hackpcweek.com] state:



    The only fair targets are the securelinux.hackpcweek.com, and securent.hackpcweek.com sites. To win the 1000 gift certificate you must mark up the home page or steal a file called top secret. Denial of Service attacks spoil it for everyone, and get nothing accomplished.



    That's it. If that's all they have for official rules, then this guy should get the cash. While s/he (so as not to offend all those female crackers :) didn't exploit an OS-specific hole, the rules didn't say s/he had to, so it looks like PCWeek is out a grand on the deal. Oh well.

    Looks to me like next time they need to include some fine print like every other contest does :)

    -mike kania
  • In the immortal words of Grimjack:

    "I only believe in a fair fight when I can't rig it in my favor."



    "The number of suckers born each minute doubles every 18 months."
  • by zempf ( 4454 ) <zempf.bigfoot@com> on Friday September 24, 1999 @07:44AM (#1661841) Homepage
    cut to a Jesse Burst article 3 months later...


    ..Linux is the wave of the future...blah blah blah...open source is the way to go...blah blah blah...

    :)

    -mike kania
  • by jabbo ( 860 ) <jabboNO@SPAMyahoo.com> on Friday September 24, 1999 @02:47PM (#1661844)
    but just more worthless speculation.

    "Absurdly complex" appears to be quantifiable when one OS has something like 20 million lines of code and the other something on the order of 2 million.

    One advantage Linux has is that it is relatively easy for a competent user to configure it the way he/she wants to. This appears to be much more difficult under NT. The "lots of little tools" philosophy isn't there -- a complex aggregate which cannot be broken down into simpler pieces is harder to understand and analyze than one that can.

    In any event, anything worth doing is usually pretty tough. There's no competitive advantage in offering a service Just Like Everyone Else's, and doing easy, fully understood things isn't much fun. This goes far beyond OSes and webservers.

    /Life/ is absurdly complex. Get used to it.

  • by fnj ( 64210 ) on Friday September 24, 1999 @07:45AM (#1661845)
    Everyone so far has missed the point. This isn't (or shouldn't be) a one time thing. Both servers should be left there forever, subject to ongoing attacks. No need to pay anyone anything (maybe a T shirt or something). I think there'll be plenty of entrants without any big reward being needed.

    NT gets better, Linux gets better. I don't have any axe to grind, and this outcome would please me. Better operating systems; who can be against that?
  • by Anonymous Coward on Friday September 24, 1999 @07:46AM (#1661847)
    This test was a farce to begin with ...

    If the web server is running as nobody, then shouldn't the CGI script be running as nobody too? No competent web server admin would allow the root docs directory to have 666 permissions or run the web server as root. Was this CGI script 4755, or was the directory set up with bad permissioning?

    I could see exploiting a CGI script to get it to email you a sensitive file or display sensitive information, but they must have had the web server misconfigured to make it that easy to change a page in the doc root.

  • I think that more contests such as this will probably continue to turn out with the same results. Barring from the fact that this was a security blunder in the CGI code (I am assuming perl?)-everyone is right...this was probably also due to a lack of knowledge of administration on the Linux machine. So now the Open Source community has something to take a look at-c'mon people, they have been rubbing it in our faces ever since the Mindcraft tests... Linux is not a perfect OS (yet)-instead of ranting and raving we need to FIX the problems that these tests are cranking out.

    I don't get mad, or jealous when Microsoft wins one-and all the excuses in the world aren't going to help. So, apparently what we have learned is that we need to make Linux more secure right out of the box-and easier to configure. (Like I said, don't get me wrong-I do understand that it was a CGI blunder), but we really don't need to use this as yet another 'crutch' to avoid the problems. There are other tests that Linux has failed at-the re-make of the Mindcraft tests didn't prove anything exept that the problems can be REDUCED with good administration, and not RESOLVED. So these are the things we need to be pushing RedHat, SUSE, Caldera, etc... to implement in their distributions.


    P.S.: There is a simliar crack-contest going on at http://www.3rdpig.com [3rdpig.com] , and they are offering a $1000 dollar reward as well, you have to get the contents of a file called SecurityDemo. This is a great example of a nice-secure system, but unfortunately it is still pretty buggy. If you go there you will see what I mean. It is very hard to get around, and you are restricted BIG TIME-fork errors flying around in bash, access permissions denied to certain libraries, etc, etc..
  • by |DaBuzz| ( 33869 ) on Friday September 24, 1999 @07:47AM (#1661849)
    If someone had broken into NT via IIS would we still be saying "it's not the OS's fault"? I doubt it.

    What I would like to know is, did the CGI ship with the RH distro they used ... if so, that's part of the OS in my book just as IIS shipping with NT is part of the OS when used in that fashion.
  • by Anonymous Coward on Friday September 24, 1999 @07:53AM (#1661860)
    Linux Administrator's Security Guide http://www.securityportal.com/lasg/ [securityportal.com]
  • All of these contests are designed for Linux to lose. Although PC Week has been expanding their coverage of Linux, what is PC Week? It is a magazine oriented towards Windows users. Look through their ads. 99% of their ad revenue are for products for Windows.

    The way I see it, there is no real way to test the two operating systems against each other. Somebody will always find something wrong with the test criteria, someone else will scream conspiracy and the whole thing starts over again. Who cares if Linux got hacked first. It doesn't matter. I use Linux because I enjoy it, not because it is "hack-proof". I find it easier to get the things done that I do.

    There is no such thing as a 100% secure server. Somebody is always going to find a way to get in. These tests are designed to convince corporate big shots to use one or the other. Its going to come down to CIOs actually listening to what their Sys Admins real world tests showed for their business, not somebody elses. Your business and systems are completely different than mine. I'm not going to use NT or Linux just because it works for you.

    This is not intended as flamebait. I'm just tired of this. It's like all of the sudden Linux and NT need to be on the cover of Consumer Products magazine or something.

    My name is Matt and I'm a Linuxholic
  • by Anonymous Coward
    All right that's the final straw! I'm switching back to NT right now!
  • Try going to the server configs [hackpcweek.com] page at www.hackpcweek.com [hackpcweek.com]. Note that there are configs solely for securent, none at all for securelinux. Far be it from me to be paranoid, but this lack of information leads me to suspect that the configuration of the linux server was far from optimal (even if it was hacked via a faulty closed-source CGI script). After all, if the linux box had been secured, the maintainers would know which config files had been modified, what patches needed to be applied, etc. Instead we get "reinforcement" of how "well-documented" everything in NT is, and how "poorly documented" linux is.

    Also, if anyone happened to nmap the two boxen, they probably found the same thing I did...both are behind a firewall and return *identical* scans (aside from hostname):


    Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
    Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
    Port State Protocol Service
    21 open tcp ftp
    23 open tcp telnet
    25 open tcp smtp
    70 open tcp gopher
    80 open tcp http
    119 open tcp nntp
    139 open tcp netbios-ssn
    420 filtered tcp smpte
    443 open tcp https
    1080 filtered tcp socks
    TCP Sequence Prediction: Class=truly random
    Difficulty=9999999 (Good luck!)
    Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
    Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds



    What's this? These machines are so secure that they need to be protected by a firewall? Why? Are there possibly ports on one of them that can't be disabled any other way? This is mere speculation, but if you're running a contest to show the security of a specific box, do you add external security on top of it?

  • by DiningPhilosopher ( 17036 ) on Friday September 24, 1999 @07:56AM (#1661865)
    Well, assuming they could find two equally knowledgable sysadmins (each relative to his/her platform - yes, this is difficult) and assuming each was allowed to choose the server, scripts, etc. to be used on that platform it's a worthwhile test. It doesn't have to be the same software to be valid.

    If you had a flawless operating system but the only applications available for it were crap you would have a bad server platform. In other words, there's a difference between testing an OS and testing a platform.

    (Note: I'm not arguing that the case I described is the case with the linux box in the contest - linux is not flawless and apache is not crap. I know it was a bad script and this reflects badly on almost nothing else. I'm just making a point about the hypothetical validity of this kind of testing)
  • by substrate ( 2628 ) on Friday September 24, 1999 @07:58AM (#1661868)
    Not only is it fair but maybe its important to note. Too many people, including security authorities within many companies, fail to recognize how rigorous you have to be to maintain security. You can apply every patch against every line of code on your system and still be insecure. What's worse is that because so many people rely on specialized tools, such as SATAN, to audit security they become trusting and complacent. They're a good first step but they shouldn't be the only step for mission critical equipment.

    Suppose the white hat community is fully caught up with the black hat community, or maybe even a few steps ahead. Any standard script attacks against the infrastructure of your network will fail but there's still a glaring problem.

    What about user software? Users like to run software. Some of the software interacts over the internet at large, such as games. Most of it is not designed by people overly concerned with security. People run poorly written CGI scripts. All of this provides the ability to get into whatever account the application was running from. Smart intruders will remain very quiet (dumb ones will post things like "Y3R 0WN3D") and bide their time. Eventually with enough patience and/or intelligence the sytem can be compromised further.

    There's a lot of things that are secured dumbly. People are smart enough not to run web servers as root anymore. They run them as 'nobody', which is fine, but they leave 'nobody' with a valid shell which is dumb.

    The only truly secure system is one that is turned off, encased in concrete and sunk in the deepest trenches in the ocean. Unfortunately that isn't terribly useful, but you can increase security by conducting 'what if' thought experiments.
  • by Pike ( 52876 ) on Friday September 24, 1999 @08:04AM (#1661871) Journal
    (Disclaimer: I like linux. I am trying to get it to work on my home box. This is not flame-bait, just devil's advocate material.)

    Just lurking in all the stories about linux vs NT security challenges, and it seems like most slashdotters are incredibly one-sided in their views, driven more by a sense of rebellion than anything else.

    When somebody challenges people to break into their linux box, somebody eventually does, and all kinds of excuses are offered.

    When somebody challenges people to break into their NT box, the linux sneetches with stars upon thars scoff, "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!"

    If linux is so secure and Windows anything is not:
    • Why do you refuse to prove your point by actually cracking an NT box in one of these challenges? On a related note, I have heard as an excuse for Linux in response to the ZDnet trial, "A system is only as good as its administrator." This seems true, but if you really believed it, (A) you would know that you would not be helping MS by cracking NT, you would be helping only the particular person administrating that box, and (B) you would be proving your as-yet undemonstrated point that NT is at least as insecure as Linux.
    • Why do I read, in every mailing list and newsgroup, posts from Linux people saying "HELP! Someone cracked my box! What do I DO??" These would seem to back up my first point.
    • Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL, all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

    If linux advocates want any credibility, they will have to stop giving knee-jerk, "heads-I-win tails-you-lose" excuses and begin to demonstrate their claims.

    Joel Dueck
  • by nano-second ( 54714 ) on Friday September 24, 1999 @08:05AM (#1661872)

    Well, yes, you're right. perfectly. That should be the point. Better operating systems... of course. Makes a lot of sense. But (and this is the kicker)...

    ... That is never going to be the point. CrackThis!(tm) challenges are always going to be about ego. The ego of the cracker. The ego of the OS community. Ego. It sounds childish and silly, but that's what it is. These contests, which seem to be common lately, are not about testing the system, really. Sure that is often a nice side effect, but really, it seems that it's more a way to "prove" that such-n-such OS is better than this-n-that OS.

    Sad, but true. It should be about improving the OS, but until these contests are restructured to be less inflammatory, people are going to use them as proof for their particular OS fanaticism. That's human nature and will have to be expected in such a setting.

    Now, I personally don't have anything against these contests, they do have useful results. But I don't think we can ever, realistically, expect them to be purely for improving the OS in question.
    ---

  • by Jeos ( 49871 ) on Friday September 24, 1999 @08:07AM (#1661873)
    Someone in the forum on the hackpcweek page was arguing that Mircosoft had configured the NT server, but the linux one was mostly default. I think this probably was the case, when poking around the linux server i noticed that the Apache default dirs manual and icons were still on the server with all the default files in them. While this doesn't really cause and security problems, it lends toword the idea that the Linux/Apache install was mostly default and not configured very well. Since they used a mostly default install they probably also just grabbed an off the shelf cgi script, which is more important because it lead to the crack. Also when the contest first started the Linux guestbook script wasn't even filtering out HTML and javascript, but the NT script was. Which once again points to carelessness with setting up the Linux box.

    But regardless of if they were careless or not, thats really a non-issue, the issue is that cgi script was at fault. I'm sure that if this script was running on the NT server, it could also have been cracked.

  • by DrMaurer ( 64120 ) <danlowlite@gmTOKYOail.com minus city> on Friday September 24, 1999 @08:12AM (#1661877) Homepage
    Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.
    See the linux user in his native habitat, he's tensed, poised, awake, and banging at his keyboard in anger that someone may have cracked his sacred linux, even if it was a cheap shot. He's letting his real skin show, and it's as ugly as the linux command prompt or the blue screen of death. He wants to set up a test that proves that linux is better. The linux user is unaware that such a test is stupid and proves nothing.
    This is an interesting speciman, of course. But the average Linux or NT zealot would all speak the same way. "They know they are the best, so let's set up a test that proves it." It shows everyone that the truth is hard to deal with no matter which side of the fence you are on. They don't want security, they want their way.
    Oh no! Here comes Demons and TAO, "the ultimate OS" representatives! Amiga and BE! OH! The humanity, they're squabbling for leftovers! Oh, the elephant of NT is here, trying to trample them all! Penguins are being smashed by the dozens, more and more are pecking furiously at the the elephent. It's getting too much for the pachdyrm, it slumps down and dies. The demon rips off the trunk of the dead evil NT elephant, and the penguins keep pecking and sqwaking, sure of their superiority.
    Is that movement in the bush? Oh, indeed it is! I can't quite make it out, but it's grabbing everything and eating them alive! Oh! The humanity!
    They never saw what hit them. They were just standing there, all quacking and whatever else they might do, and something ate them all! Oh, my Lord! What predator can do such a thing? Obviously it must be higher on the evolutionary ladder!
    We had best get out while we can!
    Signing off, and remember, don't ever stand still and gloat and assume your're safe, or you'll get eaten.
  • by Gavin Scott ( 15916 ) on Friday September 24, 1999 @08:19AM (#1661881)
    "and this is obviously not an OS test."

    If you take 100 users and tell them to set up a challenge like this, and in more cases the Linux box ends up getting cracked and the NT box does not, then Linux "system" is clearly less secure, regardless of whether it is the Kernel, a subsystem, an add-on package, the documentation, the ease of use, or the user's own idiocy that results in the break.

    These days systems like Linux and NT are so absurdly complex that you can't talk about the
    security of "the operating system" in isolation.

    And before you label me a MS troll, let me say that I think both NT and Linux are really lousy operating systems. They are like the left and right extremes of the political spectrum. On one hand you have the totalitarian Microsoft OS ("You *will* use it the way we tell you to") and on the other you have Linux (i.e. Unix) where everyone can have everything any way that they like, and as a result nobody can agree on what the functionality should be for any component that's higher up the evolutionary ladder than a Lego Brick.

    Unfortunately most of you reading this will have grown up knowing only these two extremes, and probably have never seen an operating system that is really there to help you get the job done quickly and efficiently. Unfortunately most of these elegant and effective OS products have all but died out today because of all the foaming, heat-seeking, lusers drooling over the latest trend they read in Computerworld.

    One day there *will* come a Great Operating System(tm), but it's not going to be Windows (and Microsoft probably won't write it), and it isn't going to be Linux, and it isn't BeOS, and it isn't MacOS, or any of the other current options, so as you wipe the spittle from your mouth after your latest /. Linux/NT flamewar, pause and reflect for a moment that maybe there might possibly be a beter way...

    G.
  • Without question hacking CGI is fair. In fact, two really big and very recent CGI blunders come to mind:

    • hotmail
    • network solution's dotcom mail

    In neither instance were there any server breaches (that have been disclosed) but some really stupid CGI errors made the entire systems as they were intended to run wide open and completely vulnerable.

    If this contest was meant to only test the OS, it should have been spelled out as such in the rules.

  • What is the point to all these crack-my-box tests? Every day, this sort of thing goes on in the real world; that's where the real testing goes on. This whole artificial set-up-a-box-and-leave-it methodology is not analogous to the real-life version of setting up a secure webserver, patching holes in security, applying maintenance updates, and all the rest of the work that goes into it.

    My webadmin experience is limited to Apple's Personal Web Sharing (only serves 10 connections at once but it's perfect for testing your personal site's HTML links), a default Red Hat 6/Apache combo at work that pretty much only serves two pages (three if you count the default "It worked!" page), and a just-installed copy of Mac OS X Server on my iMac at home; obviously, I'm not what you'd call a fully-qualified expert on the subject. But even I know there's much more to webadmin than what these tests show. It's an ongoing process, not something that can be decided in a week's worth of testing. Anybody basing their webserver or OS decisions on these tests doesn't deserve their own parking space and thousands in stock options, because they're not doing their job.

    That said, if PC Week was out to prove which OS can be hacked easiest, X Server would have been an interesting third choice. It ships with almost every service disabled by default, forcing admins to explicitly choose which ones they activate, and it does a fair job of warning when something isn't secure (like storing your server on an HFS+ disk instead of UFS or something equally silly). Hell, if WebStar on plain old Mac OS is good enough for the US Army, BSD-based X Server should have at least been mentioned. Then again, as others have pointed out, the magazine's name is PC Week, not OS Week.

    Testing this stuff isn't like running Whetstone on two different versions of the same chip. It involves more work than picking the winner of an artificial and impossible-to-quantify "test".

    Or am I just bitter because I work in the black hole of the seventh hell that is tech support and not on the thirty-eighth floor as a golden child of the IS department with a window, a phone that never rings, and a job that involves nothing more than reading PC Week? :-]

  • by gregm ( 61553 ) on Friday September 24, 1999 @08:28AM (#1661892)
    Already we're seeing posts like "why don't the hackers leave the Linux box alone and go for the nt machine". My god how could anyone post this here at Slashdot? Think of the quote you just gave Microsoft:

    "Users at the respected Linux website, Slashdot, plead with hackers to pick on NT and to leave their Linux server alone"

    And how about this one. "it was a third party closed source script and not the os's fault".

    Here's the headline
    "Security Update: CGI-script designed to run on Linux/Apache server allows root access" (I don't think that's what happened but hey once it's in print who cares)

    This article would go on to read:
    A cgi-script written for the free Linux operating system and the free Apache found faulty. Sources won't reveal the name of the script and no attempt has been made to correct this problem.
    Guess you get what you pay for.

    written by our fav
    Jessie B

    We can't stop these stupid contests from going on but we can use some of the tools that the "man" uses to our benefit. Ignoring them comes to mind.
    Slashdot has to walk a fine line... they are a news page first and foremost and they happen to like Linux a lot. Slashdot has an obligation? to report and no one is paying them to kill a story unlike, I'm sure, some of the other news sites/journals.

    Please Slashdot just say no(tm) to stupid hype and don't post every friggin contest that comes down the pike. These articles may make for interesting/inflammatory reading but they're doing a disservice to the Linux community, nay the entire computing public.


  • my experience with Red Hat in particular is that the default install is ridiculously insecure

    Then your gripe is with Redhat. Linux didn't lose, poor CGI administration lost. Linux just executed their insecure code.


  • by gsfprez ( 27403 ) on Friday September 24, 1999 @08:30AM (#1661894)
    will buy the guy a decent computer to run Linux on and run a web site.

    It won't pay for the same system if he wanted to install NT Server on it.


    That's me.. always thinkin...
    ___
    "I know kung-fu."
  • What I would like to know is, did

    the CGI ship with the RH distro they

    used ... if so, that's part of the OS

    It's not likely that RedHat includes it. As has been mentioned, it's a closed-source program and RedHat has stopped including any and all closed-source or commercial programs with their distribution.

  • I use Linux because I enjoy it, not because it is "hack-proof"
    Unfortunately, many companies DO use Linux because of it's relative security (when compared to NT). Even though we know that using a closed source CGI script isn't a fair way to test an open source OS, PC Week may not have known that...and the pointy-haired people who all just bought Red Hat stock might now have second thougths.

    That's why it's important for some people to at least contest this sort of blatant falsehood publically. But how?

  • Your Windows computer connected 24/7 via DSL doesn't run any services so you may leave that point out. Like you say, if you disable file and print services, you don't run any risks, but you lose the functionality for that particular moment which if you need it does you no good anyway. The same can be done with a linux box. Disable all the services and no one can get in, but therein you will have a pretty useless server. You are comparing apples and oranges here.
  • You're right about some people's attitudes - linux should win or lose any comparison on its merits, not because people want it to win or because they want the other platform to lose. We here at /. should take care not to let this forum degenerate into Mac vs. Windows.

    Play with linux for a bit, though, and you'll see why people sometimes have trouble securing their machines. There are a ton of options available, and network security is not easy - especially when the sharks out there keep getting more creative.

    After shelling out for NT, you need to spend even more money to enable network services besides file sharing, so people who don't need that software don't have it. With linux, it's all there, right after install. So, because nobody has released a distro just for newbies, most people's boxes come up running telnetd and sendmail and all the potentially weak links in a large, complex system.

    In short, the strengths of linux can also become its weaknesses, and we as a user community should see what we can do to remedy that.
  • by emag ( 4640 ) <slashdot@gur[ ].org ['ski' in gap]> on Friday September 24, 1999 @09:18AM (#1661910) Homepage
    I don't know.

    I guess I've just always been of the belief that it's a Really Bad Idea to have your firewall hit unnecessarily. IOW, put the web server outside the firewall, probably on its own subnet off the incoming connection. That way, if the machine IS cracked, you don't suddenly have to worry about all your non-hardened hosts being hit from a supposedly trusted machine.

    After all, once you're through the firewall, you're through the firewall, and it won't protect you anymore. If you happen to be running bad CGI, or ColdFusion, or somesuch which just screams "Crack me!", you're probably in for a much larger world of hurt if you think everything is already protected.

    I know I didn't come up with that idea myself, so I must have read it someplace and it made sense. Of course, I tried proposing this at the last place I worked, and ran into a lot of resistance. They didn't want to use an old Pentium/MMX 166 for that, even though they were replacing all the secretaries' machines with PII/400s. So this probably WAS a real-world scenario.

    I still contend though that the best security policy is to trust nothing, not even the firewall.
  • by El Volio ( 40489 ) on Friday September 24, 1999 @08:46AM (#1661911) Homepage

    You're right. It serves no purpose to ignore one box. But at the same time, for both Linux and WinNT, the statement regarding the administrator holds true. What you want is to get an absolute NT security guru to configure one box, and a UNIX/Linux security guru for the other, hopefully equalizing that portion of the test.

    It's more common for Linux users to notice the box has been cracked. Windows users who suffer BO and similar attacks may not realize that it was due to a network intrusion, and just chalk it up to the notorious unreliability of Windows. Additionally, the type of users who are "experimenting" with Linux are more likely to be interested in security (and doing things that could risk their machines!) than the average Windows user who just wants to surf the Web.

    You should not believe that merely un-checking file&print sharing will secure a Windows machine. While the rules of the contest don't count DoS attacks (since that's not the purpose of this particular evaluation), for actual consideration that would have to be a factor. Additionally, remember that this isn't just putting a Win9x or even a WinNT-WS box on the net -- it's a web server, which comes with a whole different set of challenges. With more power comes more complexity. This is true of programming, networking, race car driving, and most things in life.

    I agree with you: this should not be viewed as an "either/or" proposition, but as an ongoing process. That's the way the world works, and any test should try to reflect reality in a controlled way. IOW, control is just to take out variances by converting a variable into a constant.

  • by jelwell ( 2152 ) on Friday September 24, 1999 @09:19AM (#1661912)
    I think a lot of people are missing the point of open sourced security. The guy who cracked the Linux Box pointed out that the security issue was a closed-source cgi script. Everyone needs to remember that the difference that the Free Software Foundation purports between NT and Linux is that Linux - with an open sourced system security can be proven; whereas in a closed source environment security can only be hoped for.

    I don't condone the way this "hack contest" was put together. But I also don't think the results should be invalidated. Someone earlier mentioned that "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!" - the author seems to think Linux users should all try to work collectively to hack into the NT box. Is it really that Linux users think themselves better than Microsoft? Or is it really that Linux users are overly educated in the security realms of their own world? While NT security administrators can only hope that Microsoft has protected them - without really knowing how they might be exploited - and how they might secure themselves other than just applying NT updates.

    Just remember: Open source security allows the administrator to have as much control over their security as any hacker - script kiddie or otherwise. Closed Source security means that thousands of MS employees, present and past, know more about your security and it's holes then you do.
    Joseph Elwell.
  • by Anonymous Coward on Friday September 24, 1999 @09:21AM (#1661918)
    Hmmm.

    Those are mighty sour grapes there....

    Question- if the same CGI script(s) were running on both systems, why didn't it fail on the NT system as well?

    Could it be that since the services are wide open on a Unix system once security is breached (single point of vulnerability- access to root), while it's more difficult to do as much through remote access on an NT system (granular security model, no remote access command prompt by default), that the faulty CGI script is a far more serious problem on Linux than on NT?

    Since I don't know all the details of the failure (the links in the story point to an infantile "did too!/did not!" discussion thread) it's hard to discern the details of the test.
  • by cernnunous ( 56653 ) on Friday September 24, 1999 @08:50AM (#1661922)
    Linux is not that easy to setup securely. And obviously, looking at the LONG list of non-standard changes made to the NT box, neither is NT.

    The point of this test is moot, since really neither OS was compromised. It was a flawed CGI script, just like the one that brought down Hotmail.

    Like many others have said already. Pay up to the guy that got in. Then fix the flawed CGI (or release the source so that somebody who's competant can), and run it again. Once all the bugs are gone from the "add-ons" on both servers, then maybe we'll begin to see which is the more secure and stable OS.

    I admin both NT and Linux boxes at work. I know which of the two I can rely on to stay running and keep unwanteds out. I don't think it makes me a "Linux Zealot", perhaps it just means I find Linux easier and more intuitive to admin. If somebody else finds NT to be more stable and secure for them, more power to them.

    john
  • See the linux user in his native habitat, he's tensed, poised, awake, and banging at his keyboard in anger that someone may have cracked his sacred linux, even if it was a cheap shot. He's letting his real skin show, and it's as ugly as the linux command prompt or the blue screen of death. He wants to set up a test that proves that linux is better.

    Like an NT user, of course I have my preference and biases. I also believe that Linux is not only a better security platform, but philisophically as well. I'd use it even if it was shown to be less secure. But it doesn't matter what I believe to be true, does it? It must be tested.

    I think that the layout of the challenege was poorly stated, but this is merely Monday-morning quaterbacking at it's worst.

    Again, if it was NT that was broght to it's knees, nobody would be uttering ANYTHING about "second chances", and that bugs me a bit. But do I have some sort of inbred, insatiable desire to make sure Linux wins at all costs? Hell no. I am a scientists to the core, and the truth can always be questioned. I hope Linux comes out on top ...I sincerely believe that it will ...but it's my responsibility to be open to an alternate outcome.

    My .02
    Quux
    http://www.intap.net/~j/ [intap.net]

    My .02
    Quux26
  • First, I agree, they really needed to have put up the RH config info.

    Second, as to the firewall, they specifically stated that it was meant to approximate a "real world" situation. Thus, they used a firewall to prevent "stupid" attacks, like DOS. How many real world servers are all alone in the night? Not that many. Most (smart) admins put some kind of firewall in the way. That is what PCW did.

    As to their apparent lack of Linux-saavy? Well, I would have liked it better if:

    1. They had an NT expert configure NT, and a Linux expert configure Linux, or
    2. They had a joe-shmoe admin, that knew equal amounts about both OSes (i.e. little about either) configure both, with default, or nearly-default settings on both.

    Remember, for a real world test, you should have a real world configuration, not an artificially extra secure one, or one that takes so many tweaks that no professional sysadmin would spend the time applying all of them. I, for one, would rather spend an hour configuring a mostly secure NT box than spend two days configuring a perfectly secure Linux box. (Or vice versa, whichever happens to be true at the time.)

    Remember, time is money too. My boss lets me play with Linux all I want during spare time, but when I have to make the server work now, he doesn't want to wait the extra three hours while I get the Linux box perfect. He'd rather have the NT box "good enough" now. Admitedly, I'm an NT-guru, and I'm fairly new at Linux (only 3 years of experience, but I'm geting better. I've had my home server running flawlessly for multiple months now) but I think I know enough that it shouldn't take me 10 times as long to do the same tasks.

    And just so you don't think I'm too GUI-happy, I loved my DOS box, and still use the command line all the time in NT. (I have the services for UNIX installed to make it a really happy NT box.)

    Okay, <rant mode off>

  • you're right on, but I think there's more to it than that. One of the big consequences of OSS is that it eliminates "security through obscurity." In general, we all agree that this is a Good Thing (tm) because in the long run it promotes the discovery of security holes that might otherwise lay dormant. However, this means that we are going to have to accept the fact that Linux will LOSE EVERY SINGLE CHALLENGE of this sort vs. NT. Why? because these challenges are fundamentally misguided. Finding bugs in NT is frustrating and hard, because most people don't have the source code. However, I'd much rather have lamerz trying script-based attacks on my machine than have some serious hacker able to reformat my hard drive because there has been a backdoor overrun exploit in Windows since 3.1 - that's ultimately worse, and these lame hacking contests miss the point.

    That said, I think it's important that we try as best we can to write apps that make it easier and easier to prevent the 3l33t d00dz from running script attacks against vanilla linux boxes run by newbie administrators who just switched from NT.
  • "linux" is the kernel; Redhat, Debian, Slackware, SLS (*grin*), SuSe, etc. are OSen.

    NT "out of the box" (read: straight off the CD) is far more problematic than most Linux distributions "out of the box". How many service packs and/or hotfixes are required to keep NT 4.0 from walking off a cliff? [Redhat is a bad example, but I'll use it anyway.] How many updates are required to keep Redhat 4.2 from jogging into on-coming traffic? In both cases, you will need to turn a few things on or off depending on what you selected during installation. (And in the NT 4.0 case, you need to install the 70M IE4 to get it near usable -- it shipped with IE3 which cannot be used to access even Microsofts download section(s). I find that damned annoying.)

    Kernel to Kernel, linux and NT are too close to call. Just look at how often kernel related defects for both systems turn up. Which is more secure? Neither. Both systems can be compromised -- it's generally easier on a linux system due to the ease of (nearly) replicating the system and the availablity of code to thumb through. (It's hard to break into a black-box.)

    Givin a choice, I'll take any UNIX over Windows. I like having a command line; I hate having magic hidden behind GUI buttons; And I _like_ being able to "telnet" into my UNIX server that has no video device at all.

    "I don't care if a pair of gerbals could break into it; I'm gonna use linux."

  • The NT box is still up, and CAN be hacked. I know, I already found a workable hack to steal user information from the NT server. Of course, will I still get $1000 for being the first to compromise the NT Server or is the "contest" officially over... Anyone know if it still going on? or should I just post how to hack it. -Alascom
  • Maybe I am atypical. When someone hacked my box, I was lucky enough to be there and yank the power cord out of the router before they managed to do anything but add a user and start downloading a trojan-ed bash. I didn't go crying to the newsgroups, I looked at the syslog output and found out what the hole was, patched everything up, and restored everything. I triple-checked my Tripwire logs to make sure that nothing was disturbed, grabbed the backup tapes and archive CDROMs I burn every 3 months, and spent several hours without it being online. I rigorously checked, rechecked, and patched, and then put it back up. They started banging away not 30 minutes later, and have been banging on every hole that comes through BUGTRAQ and everywhere else. Now I stop all work to patch a hole (rather than doing it after hours, even if I have to tell everyone to stop what they are doing - and yes, they still complain, but i don't listen). These things may seem like a lot of trouble but then again, so was the last time I patched an NT box - which broke lots of software, I might add. Merely un-checking a box won't make you secure to anything but that attack, BTW. If you run a web server, or use ICQ, or any other host of problems, not to mention DoS attacks which aren't patched in Windows, you are open. Kindly give me your IP address and I will demonstrate. Not to mention that Linux is a "one stop shop" for network services and NT is basically shipped without too many useful services IMHO. As to why not crack the NT box, well think about it: if I logged thousands of hours living and breathing Linux, and dozens with NT, I am going to get into the Linux box. Bottom line. If I am a car thief that likes Corvettes, I am not going to steal the Mustang unless there is nothing else around to steal. And as far as helping MS: I think its a lame argument, personally. But given that they don't go to any lengths to replicate a real-world environment (NT is the most superior OS ever in Marketing Land!). Why go through all the effort to try when everything that works in the real world won't work at all? Then they proudly display their logs, show the failed attacks, and say "Look, no one could get in!".
  • by tgd ( 2822 ) on Friday September 24, 1999 @09:01AM (#1661942)


    Why do you refuse to prove your point by actually cracking an NT box in one of these challenges? On a related note, I have heard
    as an excuse for Linux in response to the ZDnet trial, "A system is only as good as its administrator." This seems true, but if you
    really believed it, (A) you would know that you would not be helping MS by cracking NT, you would be helping only the particular
    person administrating that box, and (B) you would be proving your as-yet undemonstrated point that NT is at least as insecure as
    Linux.


    Part of the thing that people sometimes miss is the higher number of underqualified administrators administrating NT servers than Unix servers. With the meteoric rise of Linux, that's becoming less the case. These days any joe-blow can throw redhat on a machine in ten minutes and leave it at that. A few years ago it wasn't that easy.

    Its also probably worth pointing out that on the net, there's more usefulness that comes to a cracker in cracking a Unix system than an NT because of its inherant multiuser ability, and the fact that many things can be easily configured through text files. That makes them a prime target for script-kiddies, both because they're easier to reconfigure in a small amount of code, and because of the fact that actually getting into the server is more useful. Therefore, there's a lot more exploit scripts it seems for Unix than for NT. I don't think that's because of any lack of security holes in NT, but rather a lack of reasons to bother hacking an NT machine beyond pointing out to the administrators that NT is a bad solution.

    Why do I read, in every mailing list and newsgroup, posts from Linux people saying "HELP! Someone cracked my box! What do I
    DO??" These would seem to back up my first point.


    For the same reason as I said above, as well as the fact that most Windows users probably wouldn't notice the fact that they'd been cracked. They can't simply type "w" and see who's logged in, and they're more used to seeing their computer slowing down and having the drives running for god-knows-what-reason. Last time I was using a cable modem, there were several dozen machines that would've been rather easy to get into because they had their drive shared without a password. Short of deleting all the files, how would any possibly know I was in their stuff? They wouldn't. And even if I deleted any of their files, without the logging present like there is under Unix, they wouldn't be able to figure out that it was an external user that wiped the files, and not some wierd glitch in the system.

    Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL,
    all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a
    password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.


    Its more complicated because you're running a server OS. That's been discussed to death -- the fact that there aren't (yet) any good "desktop" distributions, that won't by default install all the services that aren't actually used. Linux is easy to tighten up, but you've got to know that you need to do it, and you've got to know that the desktop system you installed has as much capability as any "server". A lot of people don't know that, and don't understand what that entails.

    I'm hoping to find out that Corel's distribution ends up a "client only" distribution... that'd go a long way towards making that distinction clear.

  • I think it's only fitting that the Linux box got cracked first, even if it was sort of a cheap way to do it - not because NT is a better designed or more secure OS (yeah, right), but because of all the fire-breathing anti-MS fanatics who think that even in the hands of a newbie administrator Linux servers are more secure than Fort Knox. (I refer any readers back to some of the /. posts when Hotmail was cracked - many people immediately assumed it was an NT problem without knowing any of the details.)

    The best aspects of open source movement are its emphasis on choice and community - contests like this make some of the open source folks look like the same kind of supercompetitive, manipulating people they usually bash.

  • Just lurking in all the stories about linux vs NT security challenges, and it seems like most slashdotters are incredibly one-sided in their views, driven more by a sense of rebellion than anything else.

    Yes, and the Micro$ofties are equally one-sided. Anyone truely impartial probably doesn't care enough one way or the other to state an opinion.

    When somebody challenges people to break into their linux box, somebody eventually does, and all kinds of excuses are offered.

    I think the Linux PPC box is still running unhacked.

    When somebody challenges people to break into their NT box, the linux sneetches with stars upon thars scoff, "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!"

    Agreed, that seems to me to be a cop out. I think the Unix advocates know too little about NT to actually make an attempt. I think the reverse is probably true as well, the NT advocates don't know enough about Unix, which is why they have these "hacking contests" (which seem to be mostly promoted by Windows people) to get the Unix folks to do the Unix cracking for them.

    Really, I think the main reason Unix gets more attention from hackers than NT is because Unix is just more interesting to hack. There have been decades of real-world experience to understand the security issues associated with Unix. And once you're in, you actually have a rich remotely-accessable environment to play in.

    NT on the other hand is a different beast. Being a closed system and relatively new, the security issues are not nearly as well understood, even by NT "experts". And everyone seems to acknowledge than NT is not as good a system to access remotely, which makes a successful crack less fruitfull.

    Ultimately I think it's more a security vs. obscurity thing. People don't hack NT not because it's unhackable, but because they just don't know how to hack it, and hacking it is ultimately uninteresting compared to hacking Unix. I wouldn't depend on this obscurity to protect anything of real value though.

    Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL, all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a password.

    Don't forget to disable your web browser and your email software. Er, wait... Why are you connected to the internet? ;*)

    If you wanted Linux to be more secure, you could try making it easier batten down the hatches.

    It's not that hard to disable services... Is it?

  • what is PC Week? It is a magazine oriented towards Windows users.

    Actually, it's a magazine for managers of PC networks, not "Windows users". Maybe you are thinking of "PC Magazine".

    This means lots of Novell, NT, and Linux coverage. Those are pretty much the most popular PC server platforms right now. Most of the advertising in PC Week seems to be for network hardware and software. There are very few straight Windows user applications being advertised.

    Of course, the #1 vendor for these folks is Microsoft, so there is a huge amount of MS coverage. (But contrary to Linux paranoia, not every PC network manager is a MS drone. Simply that most IT shops have a vested interest in MS's plans and legal problems.)

  • For those unfamiliar with the term DMZ, it stands for De-Militarized Zone. The notion here is that you have:

    1. The Internet.
    2. A firewall
    3. The DMZ -This is where your Webservers go. They should be running minimal, secure services, static (ro) data, cgi's, etc.
    4. Another firewall. - only allow access from the DMZ into your production net where absolutely needed (database, etc.)
    5. Your internal network.

    Additional good ideas are:

    1. Use the "--rtfm" flag. There are tons of FAQ's out there that tell you to choose cryptic passwords, turn off services, limit access to needed IP's only.
    2. Use NAT and private IP's. This is not a cure-all, but it is alot more annoying to crack an IP that you can't get a route to.
    3. Disable network access on your routers. Get a serial-console server and place it somewhere well protected.
    4. Sacrifice a goat.
    5. Use sanity-checking application proxies. For example, if your web-servers need "write" access to an oracle database, install a proxy that verifies SQL queries against the set of queries that you've installed on your webserver.
    6. If in doubt about using a restrictive fw-rule or policy, use it. If this breaks your application, you can remove the rule.
    7. Install bogus services (and log activity). Most "original" cracks aren't instantaneous, they usually involve some poking around.
  • Hey, it's a valid test. After four days if merciless attempts to compromise the system, they've determined beyond a reasonable doubt that nobody at PC Week has a clue when it comes to Linux.

    This is news? :)

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...