The Evils of Default Security (tutorial)

Quote:

---

Originally posted here by Juridian
Alot of the problems people are experiencing right now are the ones being brought up in this thread. Users put up a system and think it's secure even though it's not. Those who understand it's not secure, or just finding it out, do more work to lock it down. The same will most likely be said if everyone pushed secure by default systems. There will still be a fair share who pop em up and think they're fine...and the rest will educate themselves to various degrees to prove to themselves that they are fine. I believe that pushing secure systems will most likely lessen the chance of mass worm infection of the scale and type we are seeing today, as well as make the script kiddies on my local cable network work a lil harder to actually do something to Ma and Pa Kettle's computer down the way.

---

That only supports the hypothesis that 'hardening' an operating system actually does something, which is counter to what catch has posted in this tutorial. I agree, people need to be aware that secure by default only applies to default configuration, and the moment you make a change it changes the security level of the box. I do however not believe that it is wrong for them to say it is secure out of the box in its configured state after installation. That is not necessarily something that's any good since a box will rarely be left in that state, but it does not bar the truth of the thing as stated.

Quote:

---

Originally posted here by MsMittens
Even Novell?

---

Hence why I did not say "all other OSes". There are obviously other like-minded security endeavours out there, and I would classify Novell as one such thing, since they perform some very rigorous code auditing (at least last I knew of).

Quote:

---

And sorry. I think I'm a bit dense from the holidays but where are the facts that support that OBSD is "far more secure than other OSes in their default configuration"? Is there a report? study? ;)

---

The results speak for themselves:
http://search.cert.org/query.html?co...set=iso-8859-1
http://search.cert.org/query.html?co...set=iso-8859-1
http://search.cert.org/query.html?co...set=iso-8859-1
http://search.cert.org/query.html?co...set=iso-8859-1

On the surface, the results appear to suggest that OpenBSD has indeed had 30 or so vulnerabilities that warranted advisory status, but in reality very few actual deal specifically with OpenBSD, and though it is mentioned, it is usually something along the lines of:

Quote:

---

OpenBSD's dhcp support is much modified, does not have that feature, and therefore does not have that bug.

---

From: http://www.cert.org/advisories/CA-2003-01.html
or

Quote:

---

OpenBSD is not vulnerable as OpenBSD's malloc implementation detects double freeing of memory. The zlib shipped with OpenBSD has been fixed in OpenBSD-current in January 2002.

---

From: http://www.cert.org/advisories/CA-2002-07.html
As examples. Few of the vulnerabilities are issues with OpenBSD, while many other vulnerabilities exist in both Windows and Linux. Those are the remotely exploitable vulnerabilities that CERT felt worthy of advisory status. Actual bugs that may or may not exist in many configurations also exist in other operating systems.
Netware and OpenBSD appear to have similar track records in terms of security based on CERT, at least recently.

Open BSD has http://www.openbsd.org for it's "reports" about how secure it is, and a few other sites should have something listed...But i've learned not to always believe that. The Free BSD web page says it is secure to.

What about Trusted Solaris? Has anyone had any experiance with that? I've looked into that OS as I think Solaris is a great OS as long as it is on a Sun Sparc or something.

What about other trusted OSs? OpenBSD is far from the only OS claiming security. I doubt the OSs running on shuttle launches for NASA are anything we have seen. ;)

OpenBSD isn't a "bad" OS, but it is not the most secure thing on the planet. It has had security updates, meaning they have found something in it before right? Still, I think it has many uses.

I think "Hello, World!" is the most secure peice of code on the planet that actually does something besides compile.

Mainly because I'v never seen an exploit for it.

I think that just because an OS is saying it is secure, really does not mean much. It's good if it is, but it doesn't mean the OS is actually secure. Default security is another thing that has alot of opinions.

Take life for an example:

Humans are born cold, naked, and a Dr. gets paid to whack us on the ass and make us cry. We are shipped in a very insecure state. So far though, the turtles and snails havn't taken over, and they ARE shipped in a secure state. They both have shells protecting them.

So why havn't they taken over and made us slaves?

Because they lack the thinking required to do so. Or the "programming" to do so. So instead they wonder off to be eaten by birds directly after birth, and we sit in a hospital, stuck in a room full of other babys, and then we get taken home and we eventually, with the right tools, become secured.

The turtles and snails that don't get eaten also become a little more secure, as the shell they are born with hardens.

What I am trying to do here, besides get a smile/laugh out of someone, is just make a point that just because something is shipped in a secure state, doesn't ALWAYS meen that is is. And just because something DOESN'T ship in a secure state, doesn't mean it can't be.

And, also, remember, the right tool can bring ANY OS down. I'll use the life example again:

Turtles come with a hard shell for protection, but Sledgehammer V2.0 still cracks that with no problem. And people come with no security, but can be secured to take a whack from a hammer with helmet 1.0 and armor 2.0. Point being; the right tool will break through any security system you put forth no matter how secure it came.

Hopefully you see what I am trying to say. I'm not trying to claim to be the great Goradini who can break through anything, I'm just saying with the righ tool, you can, be it knowledge, or a sledgehammer.

Quote:

---

Don't take this the wrong way, catch, I'm not flaming you, but what you said almost seems like a contradiction of the subject at hand.

---

576869746568617, you're attributing comments by me to catch I think...

Quote:

---

..the results appear to suggest that OpenBSD has indeed had 30 or so vulnerabilities that warranted advisory status, but in reality very few actual deal specifically with OpenBSD..

---

But are those advisory in CERT indicative of the security of it or rather the lack of use by "hackers" at finding and searching for exploits? We know that a larger audience using a particular OS (Linux and Windows -- specifically Windows) has resulted in more bugs and vulnerabilities found. So if we base "security-ness" on the "lack of CERT Advisories" is this an accurate picture if few people use it? By this logic, the most secure OS is Macintosh OS 9. :D

Quote:

---

Originally posted here by MsMittens
By this logic, the most secure OS is Macintosh OS 9. :D

---

I'm far from a Mac expert, or user, but from what I understand, Mac OS is fairly secure. MsMittens, I think you'v said you use Macs correct? Are they a secure computer? I know Mac OS X is supposed to come fefault everything turned off, but are they really secure? I'd get a Powerbook with superdrive if I could afford it right now. I need some OX X practice and also I do enjoy making music and making art work. I use Linux for the art work right now and Windows XP for my music, but that's another topic than what we are discussing,

since we have been talking about OS security, how secure would Linux rate? I know this is something that can depend on the distro, but for example, Mandrake Linux 9.X seems to be very reliable and secure. I got my first Mandrake system when 7.1 came out. I bought it at best buy, and at the time I think I had only had a computer for a few months, but I wanted it because Tux was on the box and a friend of mine in IRC used Linux so I wanted to learn.

So I bought it. Of course I never used it untill a year ago. I'v only been using Linux and BSD for....Less than a year. In like 3 days it will mark one year that I'v been using it. In that time I have learned an aweful lot about it, and how to secure each distro.

Quote:

---

Originally posted here by gore

I think "Hello, World!" is the most secure peice of code on the planet that actually does something besides compile.

Mainly because I'v never seen an exploit for it.

---

While there may not be many bugs in the hello world code itself, there are most likely numerous bugs in the libraries supporting the hello world application itself.

Quote:

---

Originally posted here by MsMittens
576869746568617, you're attributing comments by me to catch I think...

---

Nope actually, the quote is out of Catch's original post. I quoted the same piece as well.

Quote:

---

Originally posted here by MsMittens
But are those advisory in CERT indicative of the security of it or rather the lack of use by "hackers" at finding and searching for exploits? We know that a larger audience using a particular OS (Linux and Windows -- specifically Windows) has resulted in more bugs and vulnerabilities found. So if we base "security-ness" on the "lack of CERT Advisories" is this an accurate picture if few people use it? By this logic, the most secure OS is Macintosh OS 9. :D

---

From a remotely exploitable standpoint yes. Again, it comes down to specifics about the environment. Are you looking at desktop security? Are you looking at server security? etc.. As I said before, context matters greatly. From a server standpoint, obviously OpenBSD is a good SECURITY choice. Security alone does not make decisions, but it should definitely be considered.

Quote:

---

Originally posted here by Juridian
While there may not be many bugs in the hello world code itself, there are most likely numerous bugs in the libraries supporting the hello world application itself.

---

Oh, ****! Forgot about #include and so on....I'm no programmer but I do know that #include has alot of code in it...Or at least a programming teacher told me that.

So the most secure program would be this then? ::

int main()

{

return 0;

}

That does'nt do anything but compile, but it's secure!

Quote:

---

Originally posted here by chsh
Nope actually, the quote is out of Catch's original post. I quoted the same piece as well.

---

Umm... Double check that. The portion you quoted is

Quote:

---

The reality is, IMHO, no system is secure from the get go. And anyone who thinks that an OS is secure by default (because it says so) is opening up the possibility of making a mistake. There are some systems that lend themselves to be made more secure or are designed to be flexible enough to be secured well but none is truly secure. The adage "Be paranoid and be even more paranoid" should be the mantra for all secure admins, experts, etc

---

That is from the bottom of post 12. My post. No where does catch state this. He's done three posts, post 1, post 4 and post 8.

Quote:

---

From a remotely exploitable standpoint yes. <snip> As I said before, context matters greatly. From a server standpoint, obviously OpenBSD is a good SECURITY choice. Security alone does not make decisions, but it should definitely be considered.

---

No. From the standpoint of the fact I asked you for specific proof of OBSD being secure. You stated:

Quote:

---

Few of the vulnerabilities are issues with OpenBSD, while many other vulnerabilities exist in both Windows and Linux. Those are the remotely exploitable vulnerabilities that CERT felt worthy of advisory status. Actual bugs that may or may not exist in many configurations also exist in other operating systems.
Netware and OpenBSD appear to have similar track records in terms of security based on CERT, at least recently.

---

So in the case of OS 9, which AFAIK, never had any CERT worthy vulnerbilities, wouldn't it be a secure OS? When I asked for reports on the security of OBSD I was hoping that there is some 3rd party that has done a study on it and has stated that it's secure. There are organizations and standards that do this:

Common Criteria: This is the new standard to replace the Rainbow books. http://niap.nist.gov/cc-scheme/ (go figure, CC's site is discontinued *shrug*)

IEEE: has started an organization/committee on secure OSes Baselines: http://standards.ieee.org/announcements/pr_p2200.html

ICSA Labs: I had thought they did OSes as well as security applications/devices but unfortunately no. For those interested, visit it here: http://www.icsalabs.com/

Going by vulnerabilities alone doesn't give an indication of success for a secure system. It's gives an indication of good programming perhaps. There is a website -- but damned if I can find the thing -- that shows which Open Source programs have good secure, stable code. NMAP was the only security application there. This site is for testing Open Source applications since Open Source developers often are missing the funds to prove that their applications are sound, stable and secure when it comes to government standards.

Meeting a standard set for security and that is accepted by an industry and/or government usually is an indication of security-worthiness. Does this mean that OBSD isn't a secure OS? Not necessarily. Rather, it's definition of security is different than what the industry may be looking for or perhaps there is nothing left in the budget to test it's security-worthiness against other systems.

Now, in my search for finding more information about the standards for secure OSes I did find the following article which might be a worthwhile read by all.

Lastly, in a PM to me, catch stated that the tutorial is based on a "mathematical fact". Since this wasn't clear to me (and I think others) perhaps you could clarify this for everyone. It might help put things in context (since that seems to be an issue). :D

Quote:

---

Originally posted here by MsMittens
Umm... Double check that. The portion you quoted is
That is from the bottom of post 12. My post. No where does catch state this.

---

That is correct, however I took 5(etc)s post to mean that he would first respond to the first quoted block, and then to the latter. I suppose it lies in the interpretation, but to me, clearly the first part of his post is aimed at the first block he quoted.

[quote][b]No. From the standpoint of the fact I asked you for specific proof of OBSD being secure. You stated:
[...]
So in the case of OS 9, which AFAIK, never had any CERT worthy vulnerbilities, wouldn't it be a secure OS? When I asked for reports on the security of OBSD I was hoping that there is some 3rd party that has done a study on it and has stated that it's secure. There are organizations and standards that do this:
[..snippage of good links..]
Yes, however again, I stress the importance of context here. How often is MacOS9 used as a server? I would say little to none at all, and virtually all of the CERT vulnerabilities will be in regards to server vulnerabilities, which is why such a difference exists. From a remote security standpoint, I feel confident in saying OpenBSD does a far better job protecting itself from harm than any other server operating system. OpenBSD has a host of other issues however pertaining to other things that bar its widespread use, not the least of which is application/developer support.

Quote:

---

Going by vulnerabilities alone doesn't give an indication of success for a secure system. It's gives an indication of good programming perhaps. There is a website -- but damned if I can find the thing -- that shows which Open Source programs have good secure, stable code. NMAP was the only security application there. This site is for testing Open Source applications since Open Source developers often are missing the funds to prove that their applications are sound, stable and secure when it comes to government standards.

---

Using the count of the vulnerabilities is silly, I agree. If you look at the meat of the vulnerabilities, and the general statements made in response, OpenBSD's common indicator is that it is vulnerable because it is something that the kernel itself can't stop, or it is not vulnerable because the kernel itself can stop it. An example of the former would be Apache vulnerabilities, but in that sense, OpenBSD still is more secure since by default it still jails the webserver process as well as nameserver (I believe, I could be wrong on that). An example of the latter would be the double free() vulnerability I quoted to which BSD is not vulnerable since the kernel detects double free() and prevents it. The alternatives do not offer this kind of protection, therefore they become vulnerable to a wider range of exploits. Again, this is in the context of remote security, where a user doesn't have local access, just so we're clear. I would venture to say that this is roughly say, 80-90% of all circumstances, and indeed, even your own courses on the subject would indicate highly favouring remote security over local. Local security is another beast entirely. It is rapidly becoming clear that this is indeed quite a number of discussions itching to be had, perhaps I could start threads for each type of security? :)

Quote:

---

Meeting a standard set for security and that is accepted by an industry and/or government usually is an indication of security-worthiness. Does this mean that OBSD isn't a secure OS? Not necessarily. Rather, it's definition of security is different than what the industry may be looking for or perhaps there is nothing left in the budget to test it's security-worthiness against other systems.

---

Therein lies another discussion: are the government standards that which make up what is actually secure? It is often jokingly said that the most secure box is the one that has no operating system, let alone network connection, but that is also true. The question becomes, if an operating system is unusable, and is NEVER used but is ultra secure, its security could be quantified as both infinite, AND 0. It is both absolutely perfect in that it will never be hacked, and absolutely imperfect in its unsuitability for use.

Quote:

---

Now, in my search for finding more information about the standards for secure OSes I did find the following article which might be a worthwhile read by all.

---

Yep, def. a good read.

Quote:

---

Lastly, in a PM to me, catch stated that the tutorial is based on a "mathematical fact". Since this wasn't clear to me (and I think others) perhaps you could clarify this for everyone. It might help put things in context (since that seems to be an issue). :D

---

Well I too am interested in seeing the mathematical fact behind this, but have to wonder why it wasn't represented that way in the first place.