MS-DOS, security theory

[gore]

THANK YOU!!!!

Now, how did you patch it? I didn't think DOS got patches anymore. Anyway, thanks again. What are the chances of you tossing that box into a war game? It would be fun to see how someone could break in.

Now for those who think I'm totally serious, and thinking of making DOS a server, it was just to get some decent discussion on the front page. I'm willing to make an ass of myself for the sake of a good discussion. Done it before, and will probably do it again. And I think it's been worth it. I've got a bunch of replies, and great information on security in DOS, all in one thread, and all I had to do was form a quick theory and set the dogs on it here.

[Tedob1]

dos didn't need to be patched...arachne did and they issued a new vesion.

where i live now high speed isnt available and although i have two phone lines the company i work for dumped the ppp account i was using on it. i dont want to tie up my account but if i can get another account threw work or find the time to put it on the T at work ill let you know by PM, dont want to make my ip block public.

if you check out the dos web rings there are many dos web servers on the internet. not to mention fido and other types. they are protected by hardware fw's just like all the other OS's. being as dos doesn't have any native sockets one must depend on the integrity of third party software often written by folks in there spare time. put under the kind of scrutiny that commercial software is im sure they wouldn't stand a chance.

[HTRegz]

Hey Hey,

Interesting thread, from what I've read of it ... I skipped the middle. I'm going to read back through and see if anyone has listed a DOS webserver, if they have.. I'll throw it online for ya. I've found a DOS telnet/ftp server suite, Don't know if it works, but I'll grab it also and I'll see what I can get running for ya...

Peace,
HT

[Raion]

I'm not going to take sides as everyone who has posted here is right in their own way. DOS of course has it's vulnabilities but unless everyone starts using it they won't be looked into. As gore suggested you could probably make a "firewall" or whatever you want to call it which prevents another task from forming while you are away from the computer. Setting up a server with DOS is a good idea but 99% of the people won't have a chance to get in as it would only allow 1 at a time, and if you do gore's idea nobody will be able to get it. Now of course this still needs to be looked into (if someone was actually looking into starting a server with DOS)..and if somebody were to find a vulnerability in DOS, they could simply go through the trouble of re-creating it and creating their own patches and etc.

[Spyder32]

and if somebody were to find a vulnerability in DOS, they could simply go through the trouble of re-creating it and creating their own patches and etc.

.. For a non-opensource OS?

[Raion]

spyder it's possible..might not come out exact but it's possible

[chsh]

Originally posted here by gore
And where in the hell, are you going to find an exploit for DOS? It's no longer supported, so people don't even bother trying to find holes in it anymore. When have you honestly seen a DOS box get owned?

Back when it was still being used. "Owning" wasn't really what happened back then, but there were trojans developed for Win3.11.

I've never even seen an exploit that would work on DOS.

Exploits need something to break. There is very little to DOS. Most of the exploitable software was terminal-oriented, therefore there was little protocol/interpretation crap to exploit (which is a fair chunk of what you see today).

Again, as I've said before, I'll say it again:

If you could re-write parts to DOS, so that you could actually take out and modify parts of it, then leave a program running all the time, that's a task running, and another can't be started. Well, actually, I tale that back, yes one can be, but all I'm saying is that, with proper re-write, you could make DOS very secure.

As soon as you start to re-write the OS you aren't just "Using DOS as a secure platform", thus defeating this whole thread.

BIOS boot password, make a Batch file to use Anti Virii to scan at every boot up and shut down.

DOS does not shut down. Really, your lack of working experience with it speaks volumes about how you came up with the concept.

And for the people who aren't getting the point of this thread:
I'm not trying to make DOS out to be the greatest thing since SCO making asses of themselves publicly, I'm just trying to have something on the front page that isn't a tech support question, and where people can discuss ideas.

That's all well and good, but IMO this isn't the type of discussion that should hang around on the front page. It looks ridiculous, and isn't even all that good a discussion. If you wanted a thread about security theory, work with something modern, don't jump to something decades old as a potential solution. The KISS (Keep It Simple, Stupid) principle applies up to the point where you are sacrificing all useability, then it falls short.

I'm NOT trying to make out like DOS is the answer to everything, I AM trying to show uses of something most people won't even look at twice.

Having used DOS back in its time, it was a decent option for an operating system. Nowadays it is an impractical farce at best. It served its purpose, let dead dogs lie.

And again, I'd like to see someone show me an exploit that would actually allow you to take over a DOS box.

Boot the operating system and leave it running. There is no login management, there is nothing preventing a person from using your box while it is running.

Now, as for being well thought out....Mmm, I can't admit to that, it was more like "Dude, Since DOS can't handle more than one user or task, wouldn't that make it hard to break into?"

Which is a flawed statement. DOS can handle more than one task, as I'm sure you are aware at this point.

I'm still waiting for someone to say if it would be possible to code into DOS a bit more to make my theory true. And besides, so far the most someone has pointed out for exploits was a buffer overflow that I've never seen.

Writing anything for dos would be a waste of time and effort. I have no doubt I could write something as you mentioned, however it is counterproductive and an utter waste of time to write proof of concept code for an operating system that ceased vendor support 8 years ago and is no longer in common (or even uncommon) use.

But that was correct, the application set up requests, not DOS.

Correct. The vast majority of exploits that occur occur not because of the OS itself, but rather due to applications/services running on it. Mostly you'll find privilege escalation exploits targeting the OS, but actual intrusions will occur via a service/application (eg: IE/Outlook, Apache, etc.).

And if using it for a server is such a bad idea..... How many of you who used computers in the 1980's used something besides DOS? Anyone I've talked to from back then used DOS, and would run BBS servers on the boxes. Nothing but DOS.

I have. BBS software is not what you would call complicated like today's servers are. They were interactive terminal packages, and that was about it.
As for alternatives, Netware was the most popular non-mainframe server back in the '80s. My Uncle had a Netware 2 server setup in the mid-late '80s that lasted him through 1994 -- in uptime, we were talking 7+ years, had UPS and his law firm was on diesel backup. He went from that to NT.

And it's not like no one ever broke into computers back then, so why didn't they get owned?

They did. Read up on wardialing and so forth. The attacks were different, but just as effective.

I know a dude who used DOS for his BBS server for over 3 years. It was up the whole 3 years, stable as hell, and his never got broken into. Explain?

Nobody cared about his BBS? Seriously, the number of people attempting crap back in that era was basically numbered in the 100s in North America. It has honestly really only picked up a lot since the WWW brought the Internet to home users.

[Juridian]

Good god this thread is the biggest waste of time and effort I have seen next to the nonsensical thread.

[Tedob1]

HT if you serious, not that you'd ever kid, you could use the jaffa web server for dos found here, along with anything else you might need:

http://www.hippy.freeserve.co.uk/msdosnet.htm