Date: Mon, 16 Jul 2001 17:56:09 -0400 From: "Bart Silverstrim" <bsilver@sosbbs.com> To: "Paul Robinson" <paul@akita.co.uk> Cc: <freebsd-isp@FreeBSD.ORG> Subject: Re: gcc on production server Message-ID: <00a701c10e42$2075b560$0100a8c0@sosbbs.com> References: <20010711170336.B84178@krijt.livens.net> <20010711123133.A21587@pitr.tuxinternet.com> <20010712123523.G53408@jake.akitanet.co.uk> <007c01c10b14$5462d820$0100a8c0@sosbbs.com> <20010713122500.A23202@jake.akitanet.co.uk> <010c01c10bdb$a8f11600$0100a8c0@sosbbs.com> <20010716103740.C37477@jake.akitanet.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> Let me get this right.... you're sitting there one day, and you get a
> message from ProFTPd-announce. They have a patch for an obscure, difficult
> to exploit buffer overflow in the current release that your site is
running.
> They expect this news to hit BUGTRAQ in about 4 hours time. You would
> reinstall the entire machine as opposed to patch the program?
The majority of people out there *probably* find out about exploits from
bugtraq or securityfocus or other sites at about the same time or later as
the kidd3z out there get scripts to exploit the holes, or they are becoming
better known. I know of a system that is sitting on the Internet where part
of it's job is to have intrusion monitoring and logging just to see what's
out there...believe me, that little obscure site gets plenty of probe
attempts to it (lately mainly DNS and RPC probes are showing up). Now, I'm
thinking that often those patches, the bad holes that people can root or
take advantage of your site through, someone out there discovered it
somehow. Maybe, if you're lucky, it was a coder that found the bug, and you
can get to it in time from the notice in the lists. If you're unlucky, as I
suspect that many many people out there are, you find out about it (or even
become one of the initial "discoverers" of the exploit) by coming in to work
one day and having thirty messages waiting for you about why your site now
is the homepage for "F* THE US GOVERNMENT.COM" or some other such crap, or
why your site is attempting to probe ibm.com. From that standpoint, I'd
have to say that usually means someone rooted your box, and has probably
taken steps via a r00tkI7 of making it a royal pain for you to do anything
besides reinstall to fix it; even with AIDE or Tripwire I'd be paranoid
about running the machine "dirty". So in that case, yes, I'd rather
reinstall. In your scenario, the one that unless I see or hear of other
statistics that show that scenario more common than the kind I just outlined
I'll consider to be less common an occurance for now, then no, I'd rather
not reinstall, a patch is all that's called for.
People who work for companies that are big enough to have admins that can,
as part of daily routine, monitor security lists for every bit of software
that they're running and can take the time to do patches as needed are
indeed fortunate. Some of us have to make due with limited resources and
time, and do what we can to make things work. Out of curiosity, how big is
the company you own/work for? From your description of the server racks it
must be a pretty big operation. Usually big corporations seem to have a
bureacracy in place that either works well for a department or forces people
to use what's there for other reasons, regardless of how well it works or
how appropriate an alternative may be. But there's always exceptions.
Because I have found myself in established networks that could probably use
some tweaking in some areas, but instead have to make what we have work.
For me, one of my initial "tech" jobs was at a mom-and-pop size ISP.
Limited budget. Very limited. Something that happens when a rural ISP
starts up from a computer repair and BBS business. Because of the limited
size and budget, we got creative with how to use resources. On a
suggestion, we started using Linux for some services, and it saved us time
and money. If my boss were closed minded to new ideas, as he was really
much more closely aquainted with Windows and WinNT than anything that looked
like the command-line beast Linux, they'd still be paying through the nose
for whatever licensing it would take to get extra copies of NT running
various services. When we had an idea for something, no matter how
farfetched, he entertained the idea and we'd take some time to see if it was
feasible. We did some things that made life a bit easier, and many other
ideas didn't pan out for the things we needed to do. That's fine. One idea
was putting the boot/sys information on a CD for certain (notice I'm not
saying all?) applications...like hosting at other sites, or running servers
that have a more "static" purpose. So when you say
> Thank God you don't work for me.
I'm afraid I would say "Thank God I don't work for you." I'm all for solid
leadership and vision, but I also think that entertaining an idea for
certain applications may actually prove to be beneficial in the long run for
a business or organization.
> If you have the patch, patch up. In addition where the *hell* is your MD5
> database that you should have taken before the machine was connected to an
> external network, thereby ensuring that none of your binaries are
> compromised?
On a ZIP disk for the server I have at the moment, passworded and locked
away in a safe, if you really would like to know. Like I tried to say
before, the CD idea was for certain types of servers in certain situations.
And besides that, on that type of system, what are they going to trojan if
the whole filesystem is RO? And if you know your binaries have been
compromised, you still have to replace them. It still takes time. Unless
I'm totally missing something here.
>Why aren't you running cryto-signed binaries a la Trusted? Why
> are you taking up valuable time reinstalling a probably uncompromised
> host?
If the system WAS compromised, the "safe admin" wouldn't consider anything
"probably uncompromised" in terms of binaries being replaced. They got in
to the system somehow, and you never know if the bugger that got in is doing
something you didn't expect or think of to compromise you again or leave
back doors.
>All I have to say is to quote from a book of quotes meant for MBA
> students - "Treat your time like somebody is paying for it. Because
somebody
> is".
Or "leave the system vulnerable unknowingly and they can keep paying and
paying and paying."
> How do you trojan a system where only binaries compiled with your compiler
> can execute? How do you trojan a system without detection with RO MD5
> databases? As for trojaning a system with a software-only write lock
> (including jumpers on hard disks or maybe !gasp! a read only mount!)...
> purr-lease....
I've been referring to the idea of CD RO, not HD RO. I'm largely unfamiliar
with using that technique; another poster brought it up and I was asking
about it. I apologize for confusion of the context.
You're right about the RO MD5 databases. Or at least trying without getting
caught with something wrong. Unless the k1dd33 gets in for stealing
information. If they stole a user account, or is a valid user (as I believe
some FBI statistic report said the majority of "hacking" attacks are, but
don't quote me on that) getting even, then they can still steal data from
the machine or alter things. I'm pretty sure that in the race of security,
there's ALWAYS a way to get around it for someone trying hard enough with
time.
How common is using the MD5-executable only method of setting up a machine?
Is there a HOWTO on it? How many FreeBSD people on the list are using this
technique?
> I'm really not trying to start a flame war here, but I really don't think
> people have thought through what is effective protection for a computer
> system connected to the Internet in the modern world.
I'm not trying to build a flame war either; I'd like to make that clear
right here. It would hardly be worth the time I took responding to this if
it degenerates into a flamewar, so please let's not let it do that. I like
having my ideas challenged (honest!). Why? Because which is worse; having
an idiotic idea that you're corrected on and feel embarassed for a little
while for looking like an idiot, or having an idiotic idea and never being
corrected until it bites you on the butt? Me, I'd rather be told (and given
solid reasons for) why an idea is too far off to ever be feasible. But I
already know of one thing that it would work for...demos
(*cough*demolinux*cough*). So my idea from a few years ago can't be *all*
bad. You're right on the points you made.
And I also mentioned the ideas in business thing earlier...unlike what
appears to come out of Redmond sometimes, ideas coming from employees trying
to find ways to solve a problem that's not always "in the box" are a good
source of "innovation"...and saving small businesses enough money to throw a
pizza party for the employees :-)
I agree that people don't consider security as much today with machines on
the Internet. But there's more to factor in than incompetance or laziness.
There's a legitimate problem with time in businesses...where I am, I'm in
charge of buying, setting up, maintaining, inventorying, and repairing about
300 systems in five buildings without any tech staff. Oh, and phone tech
support for them. It's a legitimate problem when places don't have money to
hire more people to delegate certain tasks. And we make the best with what
we can. Yes, there are many paper admins out there ("I got my MSCE! Yay!"),
and there are many incompetant admins out there, but there are people
working in places where politics and user attitudes and staffing/money
constraints quell the "inner techie" of those who in their heart of hearts
know there's a better way to do something with a little more time and
resources...but lose out when other forces require them to act otherwise,
especially when there's a constant thump of users at the door crying "make
it go." It's a balance of practicality; a lot of people don't fix something
unless or until they absolutely have to because there's not extra staff time
to do it (or any of a myriad of other reasons). There's lots of things
people *should* do and know they should do, but don't, as foolish as the
result may be.
You sound as if you have a solid implementation of policies and procedures,
and a lot of money and resources to back that up. That's great. And I
already know you'd never consider me as an employee, so I won't even ask
about a job :-) But you might want to give some thought to where or how
something like that could work, rather than why it wouldn't work for your
setup.
One last quick note; to anyone responding to this (if anyone chooses to)
PLEASE don't quote the ENTIRE THING!! It's getting way to big! Out of
courtesy, please snip it down to the relevant parts you want to comment on,
and I apologize to people who think the time it took to download this
message was a waste of connect time...but I thank you for taking the time to
read down to the last sentence.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.264 / Virus Database: 136 - Release Date: 7/3/01
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00a701c10e42$2075b560$0100a8c0>