PCWeek "Hack This Page" Cracked 258
mrflip writes "On September 20th, PCWeek announced a $1000 contest to be the first to hack either the linux or the NT server they set up. Well, four short days later, the linux box seems to have been compromised. The winner states "Hi guys, It's been a nice challenge, now send me the cash :)." He explained that the exploit was not a linux feature but was due to a closed source CGI script with improper security checks. " Going to require Solomonic ruling - the intent was to test the two OSes, and this is obviously not an OS test.
These aren't the crackers you're looking for (Score:1)
These stunts generally only attract script-kiddies... a population against which any reasonably competent sysadmin can protect themselves against with a fair amount of effectiveness no matter WHAT their OS is (yes, even NT).
The type of cracker that doesn't go in for these cheap publicity shots is the type that you really need to be worried about anyway, and those crackers will penetrate your defenses no matter what you do to stop them.
For an interesting read on the type I'm referring to, check out the 8 second crack [securityfocus.com] article on the internet auditing project. It's a long (but interesting read), the particularly juicy part is down in the Third week section.
That kind of cracker doesn't particularly care which OS you're running, they'll drop you in your tracks no matter what.
-- Gary F.
Re:Can you say "one-track mind"? (Score:1)
Something that I think a lot of people fail to forget is the fact that linux is not a desktop OS (yet). As things stand now, linux is a server. It doesn't "do" games linux windows, it doesn't "do" the common desktop things like windows does. Face it. In the area of mass induhvidual usage, windows has the market.
But Dave! What of GNOME and KDE? I shall enlighten you. They are wonderful. They are ubercool. But have you ever tried to sit a newbie down in front of gnome and explain the concept of "multiple desktops" and the "pager" to 'em? The reason linux is harder to secure is because most distributions' default install starts up all sort of unrequired stuff, because, generally.. well, really, I have no idea why they start it up. When installing windows, you don't have to worry about a FTP server, or a NFS server, or a NIS/NIS+ server, or a DNS (would you like caching with that?) server, or a ...
I want a rock.
Re:No one has hacked the NT machine ... (Score:2)
Re:Too many variables (Score:1)
>Question- if the same CGI script(s) were running on both systems, why didn't it fail on the NT system as well?
They didn't run the same application on both servers.
Here is a quote from a ZDNet [zdnet.com]
They go into other details on the page.
Good for Linux in the long run (Score:1)
Re:: No one has hacked the NT machine (Score:5)
Re:Why isn't a Mac involved? (Score:1)
Re:What if IIS had the hole? (Score:1)
Re:CGI Script Security (Score:1)
No, it's not logical at all. Why would you run a webserver as a different user and then chown all the files in htroot to that user's ID?
What's the point? The idea is to do damage control and so the webserver's uid (nobody) shouldn't have any rights to do anything else.
Re:OS security? (Score:1)
--
Re:Can you say "one-track mind"? (Score:1)
Last year, someone on alt.hackers.malicious bothered everyone when he posted his ip-adress and told the people they would not be able to hack him, because his nt-box was so secure. This happens always by someone who wants to get somone else in trouble, but this time it was really the guys own machine.
Three day later he posted from a different os (w95) and told that someone had broken into his machine and wiped his hd. He continued to say that this guy had contacted him afterwards and that this guy was a security pro. The pro explained him that he didn't have any chance from the beginning, despite following all ms security advisories - thats the joy of black box systems...
Re:Can you say "one-track mind"? (Score:1)
It is in the NT Server Resource Kit.
You can see who is accessing your (or anyone elses) files. Actually can be very useful.
Oh, do linux installations ... (Score:1)
Re:Well what did THIS prove? (Score:1)
P.S. Any news regarding the 'RedHat Linux on NT' diagnostic by netcraft ?
People count (Score:3)
Re:Troll (Score:1)
Of course it has. With Inferno for instance you would have run the script with an empty name space (the script can only access to an empty directory and nothing out of this), and it won't matter if you are user sys, nobody, or god. You can achieve the same thing by doing a chroot on your script, but then your server need to be running as root, and some problems appears. Because chroot brings too much problems, it is not used as much as it should. Because Inferno namespaces are properly implemented, they would be the default on any server using CGI scripts. Security by correct design.
If the script was running as "nobody", it would be nearly impossible to crack the system with it.
First you are assuming that no setuid program is available that has problems (which I doubt). Second you are assuming that reading some files is not a problem, which I disagree (for instance, some files could hold password, used by other authentification CGI scripts, run as "nobody").
You can make a Unix installation secure (with chroot, directory changes, etc...), but the problem is that you have to go through an exhaustive examination of possibilities (you must set all the directory/files user/group/public rights correctly, and check that all the scripts create files with proper rights). The problem is: everything that is not explicitly checked and forbidden might be exploitable. Compare with Inferno security, when you empty the namespace of a process: everything that you have not explicitly allowed is not doable. Unix is insecure by default, but can be secured by exhaustive review. This is not a good security model.
Unix security could be better, but setting it up correctly would have prevented this crack.
It should have been set correctly by default. It wasn't, because it is inconvenient, or not possible (the CGI author, doesn't know how 'nobody' is used on the host machine [could be used for printing, etc..]. Only the admin knows, and has to review everything).
Re:Dan Attenborough (Score:1)
It must be tested
Totally agree.
I hope Linux comes out on top
Okay, I was responding to one point in your post, we both know this, and I know that you didn't mean it quite the way it came out, but I still felt inspired. It's not often that I do that, well, at least as effectively.
The most secure OS will win, and we ALL know that that hasn't come out yet.
Linux isn't it, WinNT isn't it, Mac isn't it, BeOS isn't it(not much of a server even, but it's not made for that, which is another point, but I like mentioning my fav OS in any post:), FreeBSD isn't it.
Any system that is turned on is insecure. We all know this. It's the first rule of computer security. However, all solutions must be tested fairly.
I'm all for these competitions, not because today the NT folks come out on top and tomorrow Linux will, and so on, and their respective zealot users will still bicker and post on comp.os.*.advocacy. As long as the coders and testers and hackers (the survival of the fittest element) realize what's going on, I think these contests do nothing but help.
For *'s sake, it's just an operating system!
Just because I'd build a machine for my girlfriend and put windows on it doesn't mean windows is the end all/be all. Just cuz I'd choose Be as my desktop and Linux as my local server, doesn't mean anything!
Security is everyone's buisiness, not just the NT or the *nix folks or the mac folks either. When one site gets hacked, there's something wrong, fix it, no matter the OS.
This pesky OS battle shit is dumb and we all know it, even if we continue with our little Linux/Be/Win/Mac/BSD/Amiega/Unix/(brand new thing here), we need to get our heads out of our ass and realize that command prompt or mouse pointer, there's work to do.
For some of us that's security and stability issues. For others it's just to type a memo, for others still it's the great american novel or CD of the year.
Have a nice day.
Pay up, fix the problem and try again (Score:3)
Re:[offtopic] a gender neutral way to say it (Score:1)
Referring to a single person of unknown gender as "they" is common slang but is not correct english.
Or maybe it's just incorrect in the American dialect of English especially since the FAQ reference given is to an American site.
Note that in English there is at least one other example of a supposedly plural pronoun being used as singular. Though you have to be the monarch to do so.
Too many variables (Score:2)
Re:Can you say "one-track mind"? (Score:1)
For the same reason as I said above, as well as the fact that most Windows users probably wouldn't notice the fact that they'd been cracked. They can't simply type "w" and see who's logged in, and they're more used to seeing their computer slowing down and having the drives running for god-knows-what-reason. Last time I was using a cable modem, there were several dozen machines that would've been rather easy to get into because they had their drive shared without a password. Short of deleting all the files, how would any possibly know I was in their stuff? They wouldn't. And even if I deleted any of their files, without the logging present like there is under Unix, they wouldn't be able to figure out that it was an external user that wiped the files, and not some wierd glitch in the system.
Actually, NT's file auditing features are great. The NT security model is very smooth on the small scale. I mean, within the server and for remote connections to the server. They're just not turned on by default... but neither are Linux's.
Credit where credit is due. The fact of the matter is, unless this CGI hack managed to somehow dig out a root exploit from a non-privilidged account, this was not an OS bug. Linux as an operating system DOES protect against this sort of thing. There is no reason whatsoever that the files should have been capable of being modified by the user of the CGI application. The fact of the matter is that the operating system was not configured at all for security. They relied 100% on the CGI application to defend their files.
A non-privilidged application had a bug in it which allowed someone to modify unprotected files. Quick, send out the CERT advisory!
Re:PHEAR! Let's examine the facts, first (Score:1)
Linux is not that easy to setup securely. And obviously, looking at the LONG list of non-standard changes made to the NT box, neither is NT.
If you are making "non standard" changes with the idea of increasing security you had best know exactly what you are doing. Otherwise the most likely result is less security.
Pay up to the guy that got in. Then fix the flawed CGI (or release the source so that somebody who's competant can), and run it again.
Or if they don't want to release the source of the CGI
... (Score:4)
... It's the responsibility of the Operating System to ensure security. blah blah blah.. It is obvious that linux does not have Enterprise-level reliability. blah blah blah... blah blah.. IIS is better than Apache... blah blah... The problem here is that the user doesn't have access to a GUI, and thus can't see problems like this... blah blah blah... Of course Microsoft would have released a service pack by now - what does the Linux offer? A cryptic "patch" option. They should have an easy-to-upgrade "click here to compromise your security" feature like NT does... blah blah blah...tune in next week for 'Why I'm so cool, and you're so not.'
--
The Art of FUD (Score:1)
Rather, I believe that Linux can be at least as secure (and much more quickly fixed) as NT. As numerous people have mentioned, it is a matter of the people administering the system not taking the proper steps. But I don't think this necessarily reflects on them either. (Well, in the case of these "tests" I think it is sloppy. I'm talking about general use of the OSes.)
My concern lately has been on user education. People have to know what they can do to improve their systems, that it is not the OSes fault but simply corrections that need to be made in the setup. I'm not sure about how this user education should occur, but I know it is important. Both Linux and MS zealots will use the latest error-filled results to push their platform, but the end user is not helped by choosing either of these without education about what each really entails.
As far as your comment about no real OS existing anymore...Ok, I see your point. I see no backup for it, no reasoned explanation. You are right, I personally cannot recall an OS which was the epitome of user friendliness while incredibly powerful. And I agree that the future will have OSes that come closer and closer to that goal. Of course, I believe the future is whatever we make it, so I plan on pushing Linux towards that perfect blend.
LoppEar.
Re:CGI Script Security (Score:1)
Pony Up (Score:1)
I just have to think that if the same thing happened to the NT box, there would be no grumbles. A victory would be declared and any talk otherwise would be met with much flameage.
Fact is, we all know that Linux can squish NT flat. Let's set up a test that proves that.
My
Quux26
http://www.intap.net/~j/ [intap.net]
My
Quux26
Well what did THIS prove? (Score:5)
#1, Absolutely nothing about NT or Linux itself.
#2, A chain is only as strong as it's weakest link. In this case, the weakest link was a poor CGI.
So where from here? Lets try it with a better CGI, maybe let everyone see the conf files or something.
Or maybe PC Week should release all the conf files to the cracked box, so the Community can comment on what should/shouldn't be in there.
Re:[offtopic] a gender neutral way to say it (Score:1)
Actually, the term "they" is plural, leading to a subject/verb disagreement. That really counts as slang and is commonly used, but it's improper English (my teacher jump on us for that). The only proper way to say it that I know of it "While he or she didn't exploit an OS-specific hole..."
Re:People count (Score:3)
--
Re:[offtopic] a gender neutral way to say it (Score:2)
Many people argue that anything used widely enough becomes correct. This is true but I don't like it (although I don't have time to learn Latin...
From a practical standpoint, using "they" as singular makes a correctly singular noun sound incorrect, e.g. "Everyone was blowing their nose" vs. "Everyone was blowing their noses" - borrowed from the alt.english.usage FAQ [hp.com]. "Everyone" is singular, requiring the singular "nose", but "their nose" sounds strange...
For information than you ever wanted on the topic of gender-neutral pronouns, see The Gender Neutral Pronoun FAQ [lumina.net].
Now for a real test (Score:1)
The only problem is that this only shows the resiliance to script-kiddies. Most of the serious intruders (you know, the ones who do this kind of thing for PROFIT) would never be so stupid as to take part in such a contest. Plus most such intruders are INTERNAL, and end up using non-network based attacks (e.g. physical access, social engineering, etc). As the man said in "War Games [imdb.com]": "Mr. Potato Head! Back doors are not our secret!".
There is a point of diminishing returns in tests like these, and I think those of us who have the source to our OSes in our grubby little hands know who's safer....
Re:[offtopic] a gender neutral way to say it (Score:1)
That's "MORE information than you ever wanted..."
Re:[offtopic] a gender neutral way to say it (Score:1)
Common usage is far from correct usage... Try watching daytime talk shows.
Re:What if IIS had the hole? (Score:1)
You can download and install IE5 seperately too. According to MS it is still 'integrated' and a part of the OS.
Re:Sounds like a valid result to me (Score:1)
some code must be closed (Score:1)
Security through obscurity works, just don't depend on it as your first line of defense. If you don't know who's watching or where the loot is, there's really not much point of picking the lock.
BTW, it's called "PC Weak"...
--
"Linux" (Score:1)
This shouldn't be a Linux vs. NT battle. Make it an Apache vs. IIS battle (or Perl vs. ASP if you want) and leave the underlying operating system out of the whole mess. It just results in bad press for both parties (i.e., in the LinuxPPC contest, the NT server was never actually "hacked", yet it was down half the time which made it look bad.)
pcweek test (Score:1)
Re:Real world usage. (Score:1)
Re:Must Resist (Score:1)
Check the online PC Week archives at:
http://www.zdnet.com/pcweek/filters/past/
Re:People count (Score:1)
Re:Scientific method (Score:1)
Point very well taken. What I mean to say is
My
Quux26
http://www.intap.net/~j/ [intap.net]
My
Quux26
Re:Can you say "one-track mind"? (Score:1)
It's annoying to me that the default Redhat installation is to have all services running, so that it's relatively easy to hack into my system. When you install NT out of the box, it doesn't automatically install a web server, an FTP server, a telnet server (not that NT has telnet servers...)
The point is, for newbies, Linux is insecure. You have to know *something* about network administration to protect your box, even if it means editing your startup scripts or your hosts.deny file. And, as more and more people use ADSL and cable modems (like me), there are more and more insecure Linux boxes out there.
It's Redhat's fault, not Linux's. But it's still a "Linux" distribution issue.
---
Ziff Davis 0wn3d by MS, your responsibility (Score:1)
This does prove something (Score:1)
On NT, this isn't true. You have to use their little GUI to add users and such, so it would be pretty hard to actually be able to intrude the box by exploiting something like a CGI script. You may be able to erase files and things like that, but not actually get in and make yourself an account.
So, basically, the reason Linux lost was because it is flexible and extremely controllable from a command prompt. Can Microsoft say anything like that about NT? This may lead to a loss in security, but I guess it just makes sure we do our homework when setting up remotely accessed services.
Re:Was it really a suprise? (Score:1)
Re:What if IIS had the hole? (Score:1)
You buy Windows NT *SERVER*. You can make it a file server, a domain server, a DHCP server, a WINS server, or an Internet server. If you want it to be an Internet server, you install IIS. IIS is supplied as part of the OS by Microsoft to all owners of NT Server ON THE INSTALL CD's (Apache happens to come with some distros, but it comes as part of the applications library, not as a part of the kernel or base install). It was created by the creators of NT Server (Apache != Linux). It integrates itself into the OS as a system service (Apache doesn't run in kernel space, and doesn't need Admin priviledges).
Now, if you said Netscape Server, things would be different.
Amen Brother (Score:1)
Hangtime
Re:Sour Grapes - linux lost (Score:1)
Jesse and lack of accountability... (Score:1)
I've challenged Jesse to debate me online and have never received an answer.
Remember this... Jesse Berst and the like have NO ACCOUNTABILITY! They can say any strange, bizarre thing that pops into their challenged minds without the mildest shred of proof under the guise of journalism.
They don't respond, nor do they take responsibility for their actions. Just typical arrogant Microsoft people.
You do know of course that ZD-Net is essentially a Microsoft flunky. After all... They are owned by SoftBank, and SoftBank (based out of Buffalo, NY) does a LOT of technical support for Microsoft.
I guess there is no such thing as conflict of interest, so they individual who has never touched Linux in his life, (jesse) can go right on saying what he is saying...
Remember his little article on "Can you get fired for recommending Linux?" No case studies, no proof...just towing the Microsoft party line...
Cheers,
Nicholas
PS: In case you haven't guessed a majority of so-called journalists are this way especially on the internet. If it is something they don't understand....oohhh..scary...let's talk bad about it...
Re:People count (Score:2)
Re:People count (Score:2)
The fact is that all of Microsoft's recent success -- especially with respect to Windows NT -- can be attributed to the successful marketing of a single message:
Any idiot can run Windows NT. It takes a genius to manage Unix.
The appeal of this message to IT directors and CIOs is clear. MS has successfully planted the meme that a company can get more done with 2 green MSCEs at $35k per year than with one seasoned Unix admin at $75k per year.
Of course, those of us who are in the trenches with NT and Unix on a day-to-day basis know that this argument is a load of fetid dingo's kidneys, but we're not the ones who make the enterprise architecture decisions... and Microsoft is taking full advantage of that fact.
The challenge for the Linux and Unix community is to demonstrate the fallacy of Microsoft's message -- to show that "Wizards" and other GUI sleight-of-hand are not a substitute for knowledge and experience. How to do this? I don't know. NT directors and CIOs don't like to admit they've been snowed by crafty salesmen.
On what theory? (Score:2)
I'm not sure what happened, and the sight doesn't seem to say, but if they were running CGI input without checking it they're:
a) Dumb
b) Limited to what that CGI can do.
If they configured their machine so that their CGI can do security leaks, what is the OS supposed to do, say "No, you can't do what you want. Go away and stop trying to be creative?"
As many people have pointed out, an OS is only as secure as its weakest link. The person at the keyboard is a necessary link, so if they're your weakest link, you're in trouble. The same would go if this was just a bad asp script.
You might be able to make an argument that the same sort of flexibility doesn't exist on NT and thus you can't do this sort of stuff. While that may be true, do remember that walking is generlaly safer than driving. When you can do more, you can also go wrong in more ways.
It all boils down to know what you're doing. I forget who said it, but "If you make a device idiot-proof, nature will make a better idiot."
Try using the defaults then (Score:2)
And as soon as you can break into some code running as administrator (or the OS itself, that is something like a third of the code, isn't it?), you can just install BO or something like that and get some decent remote-administratability options.
NT is no more inherently secure in a full security-breach than Linux is. In either case you're screwed if someone can compromise the superuser. And NT has plenty of services either running as administrator or in kernelspace. Can you even run a daemon-like service as a regular user under NT?
I find it interesting that ZDnet ruled out... (Score:3)
Since vanilla NT has virtually no remote administration or remote anything capabilities, it had a natural advantage in this test. Turn off NT File Serving, and you have to put machine code on the stack to change files (annoying and not worth $1000). On Linux, I could just root the machine and then enable telnet, configure the shell of my choice, set all my little aliases, and it would be just like home.
IMHO, NT is more secure out of the box than most Linux distros. If you want perfect security, may I recommend a piece of wood (not as much functionality as NT, but very very secure).
Rules (Score:4)
The only fair targets are the securelinux.hackpcweek.com, and securent.hackpcweek.com sites. To win the 1000 gift certificate you must mark up the home page or steal a file called top secret. Denial of Service attacks spoil it for everyone, and get nothing accomplished.
That's it. If that's all they have for official rules, then this guy should get the cash. While s/he (so as not to offend all those female crackers
Looks to me like next time they need to include some fine print like every other contest does
-mike kania
Fair fight (Score:2)
"I only believe in a fair fight when I can't rig it in my favor."
"The number of suckers born each minute doubles every 18 months."
Re:... (Score:4)
..Linux is the wave of the future...blah blah blah...open source is the way to go...blah blah blah...
:)
-mike kania
cute (Score:3)
"Absurdly complex" appears to be quantifiable when one OS has something like 20 million lines of code and the other something on the order of 2 million.
One advantage Linux has is that it is relatively easy for a competent user to configure it the way he/she wants to. This appears to be much more difficult under NT. The "lots of little tools" philosophy isn't there -- a complex aggregate which cannot be broken down into simpler pieces is harder to understand and analyze than one that can.
In any event, anything worth doing is usually pretty tough. There's no competitive advantage in offering a service Just Like Everyone Else's, and doing easy, fully understood things isn't much fun. This goes far beyond OSes and webservers.
/Life/ is absurdly complex. Get used to it.
The point (Score:4)
NT gets better, Linux gets better. I don't have any axe to grind, and this outcome would please me. Better operating systems; who can be against that?
CGI Script Security (Score:5)
If the web server is running as nobody, then shouldn't the CGI script be running as nobody too? No competent web server admin would allow the root docs directory to have 666 permissions or run the web server as root. Was this CGI script 4755, or was the directory set up with bad permissioning?
I could see exploiting a CGI script to get it to email you a sensitive file or display sensitive information, but they must have had the web server misconfigured to make it that easy to change a page in the doc root.
Re:Well what did THIS prove? (Score:2)
I don't get mad, or jealous when Microsoft wins one-and all the excuses in the world aren't going to help. So, apparently what we have learned is that we need to make Linux more secure right out of the box-and easier to configure. (Like I said, don't get me wrong-I do understand that it was a CGI blunder), but we really don't need to use this as yet another 'crutch' to avoid the problems. There are other tests that Linux has failed at-the re-make of the Mindcraft tests didn't prove anything exept that the problems can be REDUCED with good administration, and not RESOLVED. So these are the things we need to be pushing RedHat, SUSE, Caldera, etc... to implement in their distributions.
P.S.: There is a simliar crack-contest going on at http://www.3rdpig.com [3rdpig.com] , and they are offering a $1000 dollar reward as well, you have to get the contents of a file called SecurityDemo. This is a great example of a nice-secure system, but unfortunately it is still pretty buggy. If you go there you will see what I mean. It is very hard to get around, and you are restricted BIG TIME-fork errors flying around in bash, access permissions denied to certain libraries, etc, etc..
What if IIS had the hole? (Score:3)
What I would like to know is, did the CGI ship with the RH distro they used
They shoulda read the LASG (Score:3)
Re:Must Resist (Score:2)
All of these contests are designed for Linux to lose. Although PC Week has been expanding their coverage of Linux, what is PC Week? It is a magazine oriented towards Windows users. Look through their ads. 99% of their ad revenue are for products for Windows.
The way I see it, there is no real way to test the two operating systems against each other. Somebody will always find something wrong with the test criteria, someone else will scream conspiracy and the whole thing starts over again. Who cares if Linux got hacked first. It doesn't matter. I use Linux because I enjoy it, not because it is "hack-proof". I find it easier to get the things done that I do.
There is no such thing as a 100% secure server. Somebody is always going to find a way to get in. These tests are designed to convince corporate big shots to use one or the other. Its going to come down to CIOs actually listening to what their Sys Admins real world tests showed for their business, not somebody elses. Your business and systems are completely different than mine. I'm not going to use NT or Linux just because it works for you.
This is not intended as flamebait. I'm just tired of this. It's like all of the sudden Linux and NT need to be on the cover of Consumer Products magazine or something.
My name is Matt and I'm a LinuxholicThat's it! (Score:2)
What's notable is what's lacking on the site (Score:5)
Also, if anyone happened to nmap the two boxen, they probably found the same thing I did...both are behind a firewall and return *identical* scans (aside from hostname):
Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on securelinux.hackpcweek.com (208.184.64.170):
Port State Protocol Service
21 open tcp ftp
23 open tcp telnet
25 open tcp smtp
70 open tcp gopher
80 open tcp http
119 open tcp nntp
139 open tcp netbios-ssn
420 filtered tcp smpte
443 open tcp https
1080 filtered tcp socks
TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: AXCENT Raptor Firewall running on Windows NT 4.0/SP3
Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
What's this? These machines are so secure that they need to be protected by a firewall? Why? Are there possibly ports on one of them that can't be disabled any other way? This is mere speculation, but if you're running a contest to show the security of a specific box, do you add external security on top of it?
Too many variables - Yes and No (Score:3)
If you had a flawless operating system but the only applications available for it were crap you would have a bad server platform. In other words, there's a difference between testing an OS and testing a platform.
(Note: I'm not arguing that the case I described is the case with the linux box in the contest - linux is not flawless and apache is not crap. I know it was a bad script and this reflects badly on almost nothing else. I'm just making a point about the hypothetical validity of this kind of testing)
Hacking CGI is fair (Score:5)
Suppose the white hat community is fully caught up with the black hat community, or maybe even a few steps ahead. Any standard script attacks against the infrastructure of your network will fail but there's still a glaring problem.
What about user software? Users like to run software. Some of the software interacts over the internet at large, such as games. Most of it is not designed by people overly concerned with security. People run poorly written CGI scripts. All of this provides the ability to get into whatever account the application was running from. Smart intruders will remain very quiet (dumb ones will post things like "Y3R 0WN3D") and bide their time. Eventually with enough patience and/or intelligence the sytem can be compromised further.
There's a lot of things that are secured dumbly. People are smart enough not to run web servers as root anymore. They run them as 'nobody', which is fine, but they leave 'nobody' with a valid shell which is dumb.
The only truly secure system is one that is turned off, encased in concrete and sunk in the deepest trenches in the ocean. Unfortunately that isn't terribly useful, but you can increase security by conducting 'what if' thought experiments.
Can you say "one-track mind"? (Score:5)
Just lurking in all the stories about linux vs NT security challenges, and it seems like most slashdotters are incredibly one-sided in their views, driven more by a sense of rebellion than anything else.
When somebody challenges people to break into their linux box, somebody eventually does, and all kinds of excuses are offered.
When somebody challenges people to break into their NT box, the linux sneetches with stars upon thars scoff, "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!"
If linux is so secure and Windows anything is not:
If linux advocates want any credibility, they will have to stop giving knee-jerk, "heads-I-win tails-you-lose" excuses and begin to demonstrate their claims.
Joel Dueck
In theory, yes, in ego, no! (Score:3)
Well, yes, you're right. perfectly. That should be the point. Better operating systems... of course. Makes a lot of sense. But (and this is the kicker)...
... That is never going to be the point. CrackThis!(tm) challenges are always going to be about ego. The ego of the cracker. The ego of the OS community. Ego. It sounds childish and silly, but that's what it is. These contests, which seem to be common lately, are not about testing the system, really. Sure that is often a nice side effect, but really, it seems that it's more a way to "prove" that such-n-such OS is better than this-n-that OS.
Sad, but true. It should be about improving the OS, but until these contests are restructured to be less inflammatory, people are going to use them as proof for their particular OS fanaticism. That's human nature and will have to be expected in such a setting.
Now, I personally don't have anything against these contests, they do have useful results. But I don't think we can ever, realistically, expect them to be purely for improving the OS in question.
---
Linux box probably a mostly default config (Score:3)
But regardless of if they were careless or not, thats really a non-issue, the issue is that cgi script was at fault. I'm sure that if this script was running on the NT server, it could also have been cracked.
Dan Attenborough (Score:5)
See the linux user in his native habitat, he's tensed, poised, awake, and banging at his keyboard in anger that someone may have cracked his sacred linux, even if it was a cheap shot. He's letting his real skin show, and it's as ugly as the linux command prompt or the blue screen of death. He wants to set up a test that proves that linux is better. The linux user is unaware that such a test is stupid and proves nothing.
This is an interesting speciman, of course. But the average Linux or NT zealot would all speak the same way. "They know they are the best, so let's set up a test that proves it." It shows everyone that the truth is hard to deal with no matter which side of the fence you are on. They don't want security, they want their way.
Oh no! Here comes Demons and TAO, "the ultimate OS" representatives! Amiga and BE! OH! The humanity, they're squabbling for leftovers! Oh, the elephant of NT is here, trying to trample them all! Penguins are being smashed by the dozens, more and more are pecking furiously at the the elephent. It's getting too much for the pachdyrm, it slumps down and dies. The demon rips off the trunk of the dead evil NT elephant, and the penguins keep pecking and sqwaking, sure of their superiority.
Is that movement in the bush? Oh, indeed it is! I can't quite make it out, but it's grabbing everything and eating them alive! Oh! The humanity!
They never saw what hit them. They were just standing there, all quacking and whatever else they might do, and something ate them all! Oh, my Lord! What predator can do such a thing? Obviously it must be higher on the evolutionary ladder!
We had best get out while we can!
Signing off, and remember, don't ever stand still and gloat and assume your're safe, or you'll get eaten.
Sounds like a valid result to me (Score:4)
If you take 100 users and tell them to set up a challenge like this, and in more cases the Linux box ends up getting cracked and the NT box does not, then Linux "system" is clearly less secure, regardless of whether it is the Kernel, a subsystem, an add-on package, the documentation, the ease of use, or the user's own idiocy that results in the break.
These days systems like Linux and NT are so absurdly complex that you can't talk about the
security of "the operating system" in isolation.
And before you label me a MS troll, let me say that I think both NT and Linux are really lousy operating systems. They are like the left and right extremes of the political spectrum. On one hand you have the totalitarian Microsoft OS ("You *will* use it the way we tell you to") and on the other you have Linux (i.e. Unix) where everyone can have everything any way that they like, and as a result nobody can agree on what the functionality should be for any component that's higher up the evolutionary ladder than a Lego Brick.
Unfortunately most of you reading this will have grown up knowing only these two extremes, and probably have never seen an operating system that is really there to help you get the job done quickly and efficiently. Unfortunately most of these elegant and effective OS products have all but died out today because of all the foaming, heat-seeking, lusers drooling over the latest trend they read in Computerworld.
One day there *will* come a Great Operating System(tm), but it's not going to be Windows (and Microsoft probably won't write it), and it isn't going to be Linux, and it isn't BeOS, and it isn't MacOS, or any of the other current options, so as you wipe the spittle from your mouth after your latest
G.
Re:Hacking CGI is fair (Score:2)
In neither instance were there any server breaches (that have been disclosed) but some really stupid CGI errors made the entire systems as they were intended to run wide open and completely vulnerable.
If this contest was meant to only test the OS, it should have been spelled out as such in the rules.
Why keep doing this? (Score:2)
My webadmin experience is limited to Apple's Personal Web Sharing (only serves 10 connections at once but it's perfect for testing your personal site's HTML links), a default Red Hat 6/Apache combo at work that pretty much only serves two pages (three if you count the default "It worked!" page), and a just-installed copy of Mac OS X Server on my iMac at home; obviously, I'm not what you'd call a fully-qualified expert on the subject. But even I know there's much more to webadmin than what these tests show. It's an ongoing process, not something that can be decided in a week's worth of testing. Anybody basing their webserver or OS decisions on these tests doesn't deserve their own parking space and thousands in stock options, because they're not doing their job.
That said, if PC Week was out to prove which OS can be hacked easiest, X Server would have been an interesting third choice. It ships with almost every service disabled by default, forcing admins to explicitly choose which ones they activate, and it does a fair job of warning when something isn't secure (like storing your server on an HFS+ disk instead of UFS or something equally silly). Hell, if WebStar on plain old Mac OS is good enough for the US Army, BSD-based X Server should have at least been mentioned. Then again, as others have pointed out, the magazine's name is PC Week, not OS Week.
Testing this stuff isn't like running Whetstone on two different versions of the same chip. It involves more work than picking the winner of an artificial and impossible-to-quantify "test".
Or am I just bitter because I work in the black hole of the seventh hell that is tech support and not on the thirty-eighth floor as a golden child of the IS department with a window, a phone that never rings, and a job that involves nothing more than reading PC Week? :-]
This is just silly (Score:3)
"Users at the respected Linux website, Slashdot, plead with hackers to pick on NT and to leave their Linux server alone"
And how about this one. "it was a third party closed source script and not the os's fault".
Here's the headline
"Security Update: CGI-script designed to run on Linux/Apache server allows root access" (I don't think that's what happened but hey once it's in print who cares)
This article would go on to read:
A cgi-script written for the free Linux operating system and the free Apache found faulty. Sources won't reveal the name of the script and no attempt has been made to correct this problem.
Guess you get what you pay for.
written by our fav
Jessie B
We can't stop these stupid contests from going on but we can use some of the tools that the "man" uses to our benefit. Ignoring them comes to mind.
Slashdot has to walk a fine line... they are a news page first and foremost and they happen to like Linux a lot. Slashdot has an obligation? to report and no one is paying them to kill a story unlike, I'm sure, some of the other news sites/journals.
Please Slashdot just say no(tm) to stupid hype and don't post every friggin contest that comes down the pike. These articles may make for interesting/inflammatory reading but they're doing a disservice to the Linux community, nay the entire computing public.
Re:Sour Grapes - linux lost (Score:2)
my experience with Red Hat in particular is that the default install is ridiculously insecure
Then your gripe is with Redhat. Linux didn't lose, poor CGI administration lost. Linux just executed their insecure code.
A $1000 gift certificate... (Score:3)
It won't pay for the same system if he wanted to install NT Server on it.
That's me.. always thinkin...
___
"I know kung-fu."
Re:What if IIS had the hole? (Score:2)
the CGI ship with the RH distro they
used ... if so, that's part of the OS
It's not likely that RedHat includes it. As has been mentioned, it's a closed-source program and RedHat has stopped including any and all closed-source or commercial programs with their distribution.
Re:Must Resist (Score:2)
That's why it's important for some people to at least contest this sort of blatant falsehood publically. But how?
Re:Can you say "one-track mind"? (Score:2)
Re:Can you say "one-track mind"? (Score:2)
Play with linux for a bit, though, and you'll see why people sometimes have trouble securing their machines. There are a ton of options available, and network security is not easy - especially when the sharks out there keep getting more creative.
After shelling out for NT, you need to spend even more money to enable network services besides file sharing, so people who don't need that software don't have it. With linux, it's all there, right after install. So, because nobody has released a distro just for newbies, most people's boxes come up running telnetd and sendmail and all the potentially weak links in a large, complex system.
In short, the strengths of linux can also become its weaknesses, and we as a user community should see what we can do to remedy that.
Re:Real world usage. (Score:3)
I guess I've just always been of the belief that it's a Really Bad Idea to have your firewall hit unnecessarily. IOW, put the web server outside the firewall, probably on its own subnet off the incoming connection. That way, if the machine IS cracked, you don't suddenly have to worry about all your non-hardened hosts being hit from a supposedly trusted machine.
After all, once you're through the firewall, you're through the firewall, and it won't protect you anymore. If you happen to be running bad CGI, or ColdFusion, or somesuch which just screams "Crack me!", you're probably in for a much larger world of hurt if you think everything is already protected.
I know I didn't come up with that idea myself, so I must have read it someplace and it made sense. Of course, I tried proposing this at the last place I worked, and ran into a lot of resistance. They didn't want to use an old Pentium/MMX 166 for that, even though they were replacing all the secretaries' machines with PII/400s. So this probably WAS a real-world scenario.
I still contend though that the best security policy is to trust nothing, not even the firewall.
Re:Can you say "one-track mind"? (Score:5)
You're right. It serves no purpose to ignore one box. But at the same time, for both Linux and WinNT, the statement regarding the administrator holds true. What you want is to get an absolute NT security guru to configure one box, and a UNIX/Linux security guru for the other, hopefully equalizing that portion of the test.
It's more common for Linux users to notice the box has been cracked. Windows users who suffer BO and similar attacks may not realize that it was due to a network intrusion, and just chalk it up to the notorious unreliability of Windows. Additionally, the type of users who are "experimenting" with Linux are more likely to be interested in security (and doing things that could risk their machines!) than the average Windows user who just wants to surf the Web.
You should not believe that merely un-checking file&print sharing will secure a Windows machine. While the rules of the contest don't count DoS attacks (since that's not the purpose of this particular evaluation), for actual consideration that would have to be a factor. Additionally, remember that this isn't just putting a Win9x or even a WinNT-WS box on the net -- it's a web server, which comes with a whole different set of challenges. With more power comes more complexity. This is true of programming, networking, race car driving, and most things in life.
I agree with you: this should not be viewed as an "either/or" proposition, but as an ongoing process. That's the way the world works, and any test should try to reflect reality in a controlled way. IOW, control is just to take out variances by converting a variable into a constant.
Re:Can you say "one-track mind"? (Score:5)
I don't condone the way this "hack contest" was put together. But I also don't think the results should be invalidated. Someone earlier mentioned that "Us? Condescend to help Microsoft by breaking into their pitiful OS? The very idea!" - the author seems to think Linux users should all try to work collectively to hack into the NT box. Is it really that Linux users think themselves better than Microsoft? Or is it really that Linux users are overly educated in the security realms of their own world? While NT security administrators can only hope that Microsoft has protected them - without really knowing how they might be exploited - and how they might secure themselves other than just applying NT updates.
Just remember: Open source security allows the administrator to have as much control over their security as any hacker - script kiddie or otherwise. Closed Source security means that thousands of MS employees, present and past, know more about your security and it's holes then you do.
Joseph Elwell.
Re:Too many variables (Score:3)
Those are mighty sour grapes there....
Question- if the same CGI script(s) were running on both systems, why didn't it fail on the NT system as well?
Could it be that since the services are wide open on a Unix system once security is breached (single point of vulnerability- access to root), while it's more difficult to do as much through remote access on an NT system (granular security model, no remote access command prompt by default), that the faulty CGI script is a far more serious problem on Linux than on NT?
Since I don't know all the details of the failure (the links in the story point to an infantile "did too!/did not!" discussion thread) it's hard to discern the details of the test.
Re:PHEAR! Let's examine the facts, first (Score:3)
The point of this test is moot, since really neither OS was compromised. It was a flawed CGI script, just like the one that brought down Hotmail.
Like many others have said already. Pay up to the guy that got in. Then fix the flawed CGI (or release the source so that somebody who's competant can), and run it again. Once all the bugs are gone from the "add-ons" on both servers, then maybe we'll begin to see which is the more secure and stable OS.
I admin both NT and Linux boxes at work. I know which of the two I can rely on to stay running and keep unwanteds out. I don't think it makes me a "Linux Zealot", perhaps it just means I find Linux easier and more intuitive to admin. If somebody else finds NT to be more stable and secure for them, more power to them.
john
Re:Dan Attenborough (Score:2)
Like an NT user, of course I have my preference and biases. I also believe that Linux is not only a better security platform, but philisophically as well. I'd use it even if it was shown to be less secure. But it doesn't matter what I believe to be true, does it? It must be tested.
I think that the layout of the challenege was poorly stated, but this is merely Monday-morning quaterbacking at it's worst.
Again, if it was NT that was broght to it's knees, nobody would be uttering ANYTHING about "second chances", and that bugs me a bit. But do I have some sort of inbred, insatiable desire to make sure Linux wins at all costs? Hell no. I am a scientists to the core, and the truth can always be questioned. I hope Linux comes out on top
My
Quux
http://www.intap.net/~j/ [intap.net]
My
Quux26
Real world usage. (Score:2)
First, I agree, they really needed to have put up the RH config info.
Second, as to the firewall, they specifically stated that it was meant to approximate a "real world" situation. Thus, they used a firewall to prevent "stupid" attacks, like DOS. How many real world servers are all alone in the night? Not that many. Most (smart) admins put some kind of firewall in the way. That is what PCW did.
As to their apparent lack of Linux-saavy? Well, I would have liked it better if:
Remember, for a real world test, you should have a real world configuration, not an artificially extra secure one, or one that takes so many tweaks that no professional sysadmin would spend the time applying all of them. I, for one, would rather spend an hour configuring a mostly secure NT box than spend two days configuring a perfectly secure Linux box. (Or vice versa, whichever happens to be true at the time.)
Remember, time is money too. My boss lets me play with Linux all I want during spare time, but when I have to make the server work now, he doesn't want to wait the extra three hours while I get the Linux box perfect. He'd rather have the NT box "good enough" now. Admitedly, I'm an NT-guru, and I'm fairly new at Linux (only 3 years of experience, but I'm geting better. I've had my home server running flawlessly for multiple months now) but I think I know enough that it shouldn't take me 10 times as long to do the same tasks.
And just so you don't think I'm too GUI-happy, I loved my DOS box, and still use the command line all the time in NT. (I have the services for UNIX installed to make it a really happy NT box.)
Okay, <rant mode off>
Re:Can you say "one-track mind"? (Score:2)
That said, I think it's important that we try as best we can to write apps that make it easier and easier to prevent the 3l33t d00dz from running script attacks against vanilla linux boxes run by newbie administrators who just switched from NT.
Re:Sour Grapes - linux lost (Score:2)
NT "out of the box" (read: straight off the CD) is far more problematic than most Linux distributions "out of the box". How many service packs and/or hotfixes are required to keep NT 4.0 from walking off a cliff? [Redhat is a bad example, but I'll use it anyway.] How many updates are required to keep Redhat 4.2 from jogging into on-coming traffic? In both cases, you will need to turn a few things on or off depending on what you selected during installation. (And in the NT 4.0 case, you need to install the 70M IE4 to get it near usable -- it shipped with IE3 which cannot be used to access even Microsofts download section(s). I find that damned annoying.)
Kernel to Kernel, linux and NT are too close to call. Just look at how often kernel related defects for both systems turn up. Which is more secure? Neither. Both systems can be compromised -- it's generally easier on a linux system due to the ease of (nearly) replicating the system and the availablity of code to thumb through. (It's hard to break into a black-box.)
Givin a choice, I'll take any UNIX over Windows. I like having a command line; I hate having magic hidden behind GUI buttons; And I _like_ being able to "telnet" into my UNIX server that has no video device at all.
"I don't care if a pair of gerbals could break into it; I'm gonna use linux."
Why the weeping over linux? The NT is vulnerable (Score:2)
Re:Can you say "one-track mind"? (Score:2)
Re:Can you say "one-track mind"? (Score:5)
Why do you refuse to prove your point by actually cracking an NT box in one of these challenges? On a related note, I have heard
as an excuse for Linux in response to the ZDnet trial, "A system is only as good as its administrator." This seems true, but if you
really believed it, (A) you would know that you would not be helping MS by cracking NT, you would be helping only the particular
person administrating that box, and (B) you would be proving your as-yet undemonstrated point that NT is at least as insecure as
Linux.
Part of the thing that people sometimes miss is the higher number of underqualified administrators administrating NT servers than Unix servers. With the meteoric rise of Linux, that's becoming less the case. These days any joe-blow can throw redhat on a machine in ten minutes and leave it at that. A few years ago it wasn't that easy.
Its also probably worth pointing out that on the net, there's more usefulness that comes to a cracker in cracking a Unix system than an NT because of its inherant multiuser ability, and the fact that many things can be easily configured through text files. That makes them a prime target for script-kiddies, both because they're easier to reconfigure in a small amount of code, and because of the fact that actually getting into the server is more useful. Therefore, there's a lot more exploit scripts it seems for Unix than for NT. I don't think that's because of any lack of security holes in NT, but rather a lack of reasons to bother hacking an NT machine beyond pointing out to the administrators that NT is a bad solution.
Why do I read, in every mailing list and newsgroup, posts from Linux people saying "HELP! Someone cracked my box! What do I
DO??" These would seem to back up my first point.
For the same reason as I said above, as well as the fact that most Windows users probably wouldn't notice the fact that they'd been cracked. They can't simply type "w" and see who's logged in, and they're more used to seeing their computer slowing down and having the drives running for god-knows-what-reason. Last time I was using a cable modem, there were several dozen machines that would've been rather easy to get into because they had their drive shared without a password. Short of deleting all the files, how would any possibly know I was in their stuff? They wouldn't. And even if I deleted any of their files, without the logging present like there is under Unix, they wouldn't be able to figure out that it was an external user that wiped the files, and not some wierd glitch in the system.
Why is network security so complicated in Linux as compared to Windows? My windows computer is connected 24x7 via aDSL,
all I have to do is disable file/print sharing; one check box. If I enable sharing, I just have to use common sense and set a
password. If you wanted Linux to be more secure, you could try making it easier batten down the hatches.
Its more complicated because you're running a server OS. That's been discussed to death -- the fact that there aren't (yet) any good "desktop" distributions, that won't by default install all the services that aren't actually used. Linux is easy to tighten up, but you've got to know that you need to do it, and you've got to know that the desktop system you installed has as much capability as any "server". A lot of people don't know that, and don't understand what that entails.
I'm hoping to find out that Corel's distribution ends up a "client only" distribution... that'd go a long way towards making that distinction clear.
It's Karma (Score:2)
I think it's only fitting that the Linux box got cracked first, even if it was sort of a cheap way to do it - not because NT is a better designed or more secure OS (yeah, right), but because of all the fire-breathing anti-MS fanatics who think that even in the hands of a newbie administrator Linux servers are more secure than Fort Knox. (I refer any readers back to some of the
The best aspects of open source movement are its emphasis on choice and community - contests like this make some of the open source folks look like the same kind of supercompetitive, manipulating people they usually bash.
Re:Can you say "one-track mind"? (Score:2)
Yes, and the Micro$ofties are equally one-sided. Anyone truely impartial probably doesn't care enough one way or the other to state an opinion.
I think the Linux PPC box is still running unhacked.
Agreed, that seems to me to be a cop out. I think the Unix advocates know too little about NT to actually make an attempt. I think the reverse is probably true as well, the NT advocates don't know enough about Unix, which is why they have these "hacking contests" (which seem to be mostly promoted by Windows people) to get the Unix folks to do the Unix cracking for them.
Really, I think the main reason Unix gets more attention from hackers than NT is because Unix is just more interesting to hack. There have been decades of real-world experience to understand the security issues associated with Unix. And once you're in, you actually have a rich remotely-accessable environment to play in.
NT on the other hand is a different beast. Being a closed system and relatively new, the security issues are not nearly as well understood, even by NT "experts". And everyone seems to acknowledge than NT is not as good a system to access remotely, which makes a successful crack less fruitfull.
Ultimately I think it's more a security vs. obscurity thing. People don't hack NT not because it's unhackable, but because they just don't know how to hack it, and hacking it is ultimately uninteresting compared to hacking Unix. I wouldn't depend on this obscurity to protect anything of real value though.
Don't forget to disable your web browser and your email software. Er, wait... Why are you connected to the internet? ;*)
It's not that hard to disable services... Is it?
Re:Must Resist (Score:2)
Actually, it's a magazine for managers of PC networks, not "Windows users". Maybe you are thinking of "PC Magazine".
This means lots of Novell, NT, and Linux coverage. Those are pretty much the most popular PC server platforms right now. Most of the advertising in PC Week seems to be for network hardware and software. There are very few straight Windows user applications being advertised.
Of course, the #1 vendor for these folks is Microsoft, so there is a huge amount of MS coverage. (But contrary to Linux paranoia, not every PC network manager is a MS drone. Simply that most IT shops have a vested interest in MS's plans and legal problems.)
DMZ (was: Re:Real world usage.) (Score:2)
For those unfamiliar with the term DMZ, it stands for De-Militarized Zone. The notion here is that you have:
Additional good ideas are:
The real results of the test (Score:2)
This is news?