2008-09-14 13:48:53

Linus' Misconception of the Security Industry

Ever since the (in-)famous Monkey Story, a new anti-security attitude appears to spread among people. Some of the Linus-loyalists started promoting a new attitude of not adhering to the principles of regular security updates and releasing advisories. At the same time, the security industry is worried to see these attitudes fueled by the leader of one of the biggest Open Source communities.

The general perception of security

We had been facing the attitude of security repudiation before from IT consumers, especially in the Windows world there is an attitude of security ignorance. Security patches are not applied regularly because they are perceived as an annoyance rather than a gain.

The biggest enemy of the security consultant is the perception of ”Who would want to attack me anyway? I am not interesting.“ This may have been a valid question in the very early days of computer science, when attacks were conducted by attackers seeking information or kids seeking internet access through wardialing into the mainframes of the planet.

But the type of ”end users“ of security problems has changed significantly. Nowadays, the biggest use case of exploits are spambots, automatted attacking bots which break into any computer in its way in order to use it for spamming other people or conducting denial of service attacks for paid customers. To these bots, the average user with his innocent PC behind a small line becomes as much of a high class target as the rest of the world.

The same applies to server security. The good news is that a lot of the time, attackers no longer search for credit card information (which is nowadays usually no longer received directly by the web shop where people buy their goods but on a server from a trusted credit card service provider who has a real security response team – well, at least some of the time). The bad news is that people who react slowly are going to lose their ability to send mail by ending up on a blacklist.

And so people also don't care that distributions like Ubuntu have (besides other problems) a 3 month lag in terms of security updates, while other comfortable end user distributions like Fedora usually release their patches a couple of hours after the incident.

Where Linus comes in

The unfortunate step in Linus' new-found tendency to security populism is that in this atmosphere of negligence, he fueled the argument that ”security is not important“. Possibly this is not really what he meant. As it has been proven most impressively by Linus' book ”Just for Fun“, we are nowadays facing a large crowd of people who believe every word Linus says and who will just repeat his opinion rather than building their own one. To these people, when Linus says ”security is not important“, security will no longer be of any importance.

Also, Linus has managed to harm the attitude of open disclosure of the various vendors significantly. Since not a lot of vendors really understand the way in which security incidents are handled – which is mostly done by the first distributor who gets involved – Linus' argumentation of giving the script kiddies a headstart appears plausible to them. Thus, security problems are not necessarily disclosed publically anymore.

However, this principle does not necessarily work, especially for the Linux kernel. Due to the development model of the Linux kernel, most of the latest releases of the kernel are behaving very unstable and break features such as suspend to RAM or virtual machines rather frequently. Due to the outlined policy of imposing the burden of fixing these problems on the distributor, that is not really a problem, since the distributors will usually choose older kernel releases and backport fixes and other required features such as new drivers to that version as necessary.

This means however that the vast majority of people is not running the latest Linux kernel release. Some depend on their distributor's release, and some run older releases which ”work for them“, not knowing that there are hidden security holes in that release. Why? Because Linus thinks that security is not important.

At the same time, spammers have an army of people fitting the description of a monkey more closely than the OpenBSD developers. This army harvests the source code and change logs of the Linux kernel for exploitable security problems for use in their spam bots. This is a manpower of cheap chinese and east europeans which most distributors and end users simply don't have. This means that Linus' proclaimed security policy gives script kiddies and spammers a headstart over the end user.

What Linus did not understand

The most convincing of Linus' arguments remains however to the end user, which is, how does one ensure that end users will receive a patch before the spammers had a chance to modify their bots? It appears to an outsider that this problem remains unresolved. This is however not the case. And this is where the masturbating monkey industry security industry comes in.

Just like the software itself, a security advisory also has a release cycle. For the reasons outlined before, this cycle does not even necessarily involve the vendor. The usual procedure is as follows:

Someone discovers a vulnerability and reports it to the vendor. Then, the vendor or that someone contacts a CVE member, e.g. a distributor such as Debian, Redhat, or whomever. Alternatively, the distributor sees the patch for the security problem and picks it up.

Then, the distributor creates a ticket at CVE. Now, all CERTs and distributors of the world are aware of the problem. A patch is developed and the CVE members set a deadline until when all distributions must have the fix. CVE members fix the vulnerability and report their progress through a language called OVAL.

Once every vendor has released a fix, the advisory is made public. Now, the CVE switches state from ”draft“ to ”public“ and becomes readable on the CVE web site. (Before this point, the identifier shows up as assigned but people visiting the site cannot read it.) Distributors release their advisories, and advisoriy outlets such as Secunia pick them up. Only now do spammers have access to the advisory, while end users already have picked up the fix.

So the problem Linus sees with the ”obsessive security industry“ is already solved, all that needs to be done is to report security problems to at least one of the distributors. Starting from this point, Linus could go on taking care of the development cycle.

Posted by Tonnerre Lombard | Permanent link | File under: security

2008-08-24 02:33:13

"You have 0 optimism points"

Just for fun, I recently participated in some personality evaluation test. And as expected, the most remarkable thing the tool constanted was pessimism. Since Thomas ”maximus“ Deutsch recently wrote about his opinion on his attitude, which also included pessimism, I got the idea that there is actually a difference between pessimism and pessimism.

Destructive Pessimism

Most people know the destructive pessimism very well. Even the most cheerful people usually had a phase of depression at least during their puberty. In destructive pessimism, people stop believing in the sense of their life, their actions and everything surrounding them. As a consequence, these people find it useless to act at all.

The cognitive aspect is also very discouraging. Destructive pessimists don't perceive positive developments and events at all. Maybe they became too ordinary to be perceived, but in any case these people act like they never happened. Bad events however are perceived as an affirmation and frustration.

Constructive Pessimism

Constructive pessimism however, the type of pessimism I tend to adhere to, does not have the expectation of everything to fail. The pessimistic assumptions in constructive pessimism are way more moderate:

  • You cannot expect other people to do work. They most likely won't. They will overestimate their capacity and capability or never get to the job in the first place.
  • If something can fail, it will. This is basically a moderate version of murphyism. However, this principle leads to concepts like redundancy, thus it is an important part of the philosophy of engineers.
  • Too few people make bad decisions. Individuals tend to oversee aspects, so consulting an adequate number of people is always a nice idea. Too many people however tend to have problems comunicating.

… and many more, but you get the idea. So the general rule is to have low expectations, as opposed to expecting failure.

Other than the destructive pessimist who drowns in lethargy, constructive pessimsts draw their energy from their pessimism. The conclusion from the above assumptions is that it is best to do the job on one's own, and that one should verify every single component for proper operation. This principle is reflected for example in the rules of Extreme Programming.

The differences are also very serious in the cognitive dimension. If a constructive pessimist perceives failure, it was what he expected, so it does not come as a deception. He prepared for the failure, in fact. If, however, he succeeds, then he is very positively surprised and perceives the success as such. Thus, disappointing a constructive pessimist is close to impossible, while the world is indeed full of positive surprises for them.

As a conclusion it may be repeated that there are indeed different types of pessimism, and that not all of them necessarily lead to apathy. Indeed, pessimism can be quite inspiring.

Posted by Tonnerre Lombard | Permanent link | File under: general, chaos

2008-08-24 02:01:08

New rt for pkgsrc!

After a request from Dan, I upgraded rt to the new version 3.8, and was slightly surprised. Apart from the new interface which finally looks like the MacOS 10 user interface, just like all web applications attempt to these days, and the rich text mail editor — a feature I am hoping never to see in action — it also features a whole new set of user configuration options, and, even better, PGP support.

Also improved is the SPAM filtering support. It is no longer necessary now to prefix rt-mailgate with procmail. Usability is also massively improved, the menu is now on the left again rather than on the top. Only submenus open on top. The annoying thing is though that in menus of a certain depth, the menu bar jumps between top and left for the same menu since the top bar only ever shows the topmost level.

People who are afraid of wearing glasses can now also configure font sizes at will.

So it is time to congratulate Best Practical to their new release, and to look forward to deploying the new PGP feature.

Posted by Tonnerre Lombard | Permanent link | File under: security, news

2008-08-23 19:23:26

OpenBSD CVSweb or how not to fix XSS

A while ago, a Cross Site Scripting (XSS) vulnerability had been found in CVSweb, as used by the OpenBSD Project.

XSS basics

Now, the name Cross Site Scripting may potentially be very misleading. In fact the problem is that you can insert arbitrary HTML code into the web site. This also means you can fake information displayed in the site; thanks to CSS and related tricks, no JavaScript is required for this anymore. The term Cross Site Scripting actually comes from the one possible scenario where JavaScript code is injected into the web site which can do arbitrary things, even send requests back to the web server of an attacker, e.g. with the password from some login page.

However, this is just one possible scenario. In any case, fake information can be injected into the web site to make it appear as something different.

The correct fix is of course to encode user input properly before displaying it on the web site, just like it's done with user input meant to be used in SQL statements (in SQL injection attacks, this is not done properly). Normally, languages used to design web applications already provide means to encode user input for use in web sites; for example, Perl has encode_entities() in the HTML::Parser package.

(For more information on Cross Site Scripting, please refer to my lecture about common security problems at the Chaos Communication Congress

OpenBSD's fix

Rather than to encode the input in question properly and to verify its validity, the OpenBSD people decided to go a very unconventional (and useless) way in fixing the problem. A JavaScript was added to the web site redirecting to a web site stating that JavaScript sucks. This web site goes on to state:

Javascript Just Sucks

CVSweb takes input to a cgi script to show you source code, which it sanitizes to protect itself. It doesn't care how insecure your web browser is.

Nothing on www.openbsd.org cares about Cross Site Scripting, since we don't use cookies or any form of authentication. However since your web browser will accept script calls in a url that some idiot could send you URL with a script embedded in it to make your browser go somewhere else from a url that starts with www.openbsd.org. Somehow the XSS wankers feel this affects openbsd.org's street cred. Mystifying to me, since if you decide to visit this site with a web browser that does rm -rf / every time your browser sees the word "elephant" - well you just got pwned too.. The problem is your browser.

Of course to remove all special chars in input fields for cvsweb means you can't look for interesting stuff in code. So, someday I might take the time to try to do that, without making cvsweb useless. In the meantime, just turn off javascript when visiting this site, use a browser that doesn't support it, or use the firefox noscript extension and you'll see cvsweb just fine, once you revisit it at http://www.openbsd.org/cgi-bin/cvsweb

The claim that the problem is only in the browser is of course entirely wrong. The web site contains additional information which is not supposed to be there, and the browser cannot tell the difference between wanted and unwanted content. If the input is not properly sanitized, this of course means that the browser will interprete it wrong.

If, for example, you visit the above link with JavaScript disabled, you will still see the headline ”Only 2 Remote bugs“ which clearly does not belong there. The fix is not working.

Posted by Tonnerre Lombard | Permanent link | File under: security, programming

2008-07-25 20:45:20

A rant: Security is not war

These days we're living in a world which was stuffed with war, attacks and extremists of all sorts. In the one corner we have the islamic terror which, thanks to series like Sleepers Cell, can now also be enjoyed from the living room. People with the turbans carry around bombs and kill millions of people every day. The youths are sniffing anthrax and have nothing better to do than to segregate themselves from the community only in order to get angry about it and to adhere to extremism.

On the other hand, the communist culture of deportation is still alive. Women of all the world are deported to Moscow, there is not a family in this world who hasn't at least lost one member to them. The deported then have to build nuclear weapons which are specially crafted to attack the United States, the holy grail, the center of the prosper world. For this reason, a protection shield is being established around Poland, Czechia — not Turkey this time, there have been bad experiences with the last attempt.

However, the world of computer security is in no way comparable to it. After a recent security incident of the Baslerzeitung, reports said that “efforts were made to fend off the attacks”. On the bloody morning after, one tin soldier rides away.

In truth, the issue was very simple. The software used by the newspaper was written poorly and allowed to inject additional web site elements (“Javascript Injection”, apparently through SQL). Rather than to line up the tin soldier at the server room, armed with guns to fend off the attackers, the newspaper simply patched their software. Starting from this point, it doesn't matter how many attackers are running against the web site — it is “vaccinated” and no longer vulnerable to the attack.

It is very questionable if the people who write the type of articles quoted by BloggingTom can ever be educated on the issue. It should be clarified to them that computer programs are more comparable to dogs than to countries. Except to the point that there probably are no “badly coded dogs”.

Posted by Tonnerre Lombard | Permanent link | File under: security, network