Archive for October, 2006

When I become an instructor…

Monday, October 23rd, 2006

When I become an instructor, I plan to implement this idea whether through the campus or not. There truly is a lack of hands-on training when it comes to network and information security classes. Regarding a fellow student’s concern about the lack of hands-on security learning experiences:

What I’d like to see is more hands-on. I’ve had classes that promised it but never delivered.

I think it’d be fun to have some sort of white-hat event where students are given a semester to discover potential security flaws of a system set up on class. A honeypot of sorts. Let students use some constructive and creative means in figuring out various aspects of the machine without actually being able to sit in front of it and log in. For instance:

What OS is the machine running?
What services are running?
What services could potentially be abused or are misconfigured?
Can you access the user accounts on the machine remotely?
Are the passwords to the accessible user accounts easily crackable?

Examples of a misconfigured machine:

Run any distro of Linux with ftp, telnet, SSH, mail server, web server, webmin. Give each student a user account on the machine and allow them to poke, prod, and see what can be done if they have user-level access to the machine. Throw in a couple of fake user accounts with weak passwords.

Run Windows 2003 server with no service packs. Set up an ftp, telnet, mail, and web server. Give each student a user account on the machine and allow them to poke, prod, and see what can be done if they have user-level access to the machine. Again, throw in a couple of fake user accounts with weak passwords.

Throw the machines up on the network as ownme.*.edu and pwnme.*.edu. The cost would be fairly minimal – maybe a couple thousand dollars for the machines and the Windows 2003 server OS. Then the disaster recovery class could set up a backup system at the beginning of the semester and “recover” at the end of the semester after everyone else gets to play. Things like this could be useful to several other classes as well.

Not only that, but this kind of stuff would be fun and would give students a chance to be creative and see security from more than just a home user view. It would also give students a chance to research tools that crackers use as well as tools that could help them, as security experts, maintain an acceptable level of security on their own systems.

As you can tell, I’ve had this in mind for quite some time. Mainly because both schools I’ve been to have not had any form of hands-on security training other than a lame “wild packets” sniffer. I’d LOVE to be a part of setting something like this up (hint hint).

If anyone runs with my idea, you heard it here first 😛

Kidding aside, hands-on security research really should be implemented and more wide-spread throughout colleges and universities. Being book-smart about it won’t prepare you for what’s really out there nor will it familiarize you with the methods used by malicious individuals to crack your system/network/information.

Quote of the week – October 23rd, 2006

Monday, October 23rd, 2006

Only wimps use tape backup: _real_ men just upload their important stuff
on ftp, and let the rest of the world mirror it 😉
— Linus Torvalds, about his failing hard drive on

Microsoft EULA

Thursday, October 19th, 2006

Take the time to read your Microsoft End User License Agreement sometime. It licenses the software you bought in ‘As-is’ condition. ‘As-is’ is exactly right, same as if you’re buying a used car from a dirt lot. If you read your MS licenses carefully, you will find that they specifically avoid claiming that the software will allow you to type a sentence, add two numbers, or draw a straight line.

In practical terms, you are actually licencing a product that is not guaranteed to do anything at all. Any functionality you might use is just icing on the cake that you should be grateful for. So from a licensing standpoint, they owe you nothing in terms of continued functionality of any kind, because they never promised you any functionality in the first place.

Read a software license, but replace the words ‘software application’ with ‘Ford car’ wherever they occur. The effect is hilarious – it isn’t guaranteed to do anything, isn’t guaranteed not to crash, not to have defects, etc. Try it sometime, it’s a good brain exercise.

Quote of the week – October 16th, 2006

Monday, October 16th, 2006

“The box said that I needed to have Windows 98 or better…so I installed Linux.”

Microsoft’s EULA vs. GNU Public License

Saturday, October 14th, 2006

With Vista just around the corner and Microsoft becoming more restrictive by the day with DRM and licensing, who knows what is in the future for IT. Here are some features about software covered by the MicroSoft Windows XP EULA:

* Copying was prohibited
* Could be used only on one computer with a maximum of 2 processors
* Cannot be used as a webserver or fileserver
* Required registration after 30 days
* Could stop working if hardware changes were made
* Updates could change the EULA if the company so wished
* Could be transferred to another user only once
* The new user must agree to the license terms (no specification how this could be achieved)
* Imposes limitations on reverse engineering
* Gives Microsoft rights to collect information about the system and the its use
* Gives Microsoft the right to supply this information to other organisations
* Gives Microsoft the right to make changes to the computer without having to ask.
* Warranty for the first 90 days
* Fixes, updates or patches carry no warranty

Here are some features found in the GPL:

* Freedom to copy, modify and redistribute the software
* Precludes one party from preventing another from having these same freedoms
* Provides coverage for rights of users to copy, modify and redistribute the software
* No warranty as there is no fee
* Can be sold if the user so decides and services for such software can be charged for
* Any patents must be licensed for everyone’s use or not licensed at all
* Modified software must carry no licence fees
* Source code must be provided
* If there is a change in license, the general terms of the existing one will be maintained.

Open Source vs. Closed Source

Thursday, October 12th, 2006

My response to a student’s recent post regarding open source versus closed source software:

Though Open source has ver few credible sources to list security vulnerabilites

I would call the SANS institute credible. I would also call SecurityFocus a pretty credible source as well. I thought CERT was pretty good too. Would you agree those are pretty credible sources?

and is left to the users to discover and report them.

You mean like when Microsoft releases beta versions of their product for the public to discover and report bugs?

Which is completely up to the person who found it to report, which depending on their motives may be very harmful.

Just like the developers or testers for any other OS or application.

You could consider those those sources credible, but i don’t believe in their overall usefullness.

You’re free to bring in your own, more “useful” sources if you would like. I’d be interested in seeing them.

Once again, its a matter of incentive. People who do it for “love of the OS” in my opinion will never be as efficient as people who do it to make a living.

Then why does Microsoft send out beta releases to the public? People don’t just submit bugs for the “love of the OS”. The last bug report I submitted was a PDF issue with a specific character and a specific font to the folks at OpenOffice. Obscure as it may have been, it was fixed with the next release. I’m not a programmer so I couldn’t fix it myself, but I like using a specific font and I often PDF my work, so I submitted the bug. As far as being efficient, sure maybe a couple hundred MS people get paid to find and fix bugs, however, you have armies of people who just submit bugs like I did for the heck of it. It only took me as long as it took me to write what I did above. You also have thousands more programmers looking at the code as well. Hell, Microsoft even nabbed some of BSD’s networking code for their own OS – why couldn’t they just use the code they had been using if it’s that much better? Or did they find BSD’s code to be more superior?

As for releasing Beta’s, how else are compatability issues going to be tested? With the HUGE array of software being used today it would be virtually impossible to test the interaction with a large portion of business enviroments.

Who on earth is going to put a beta OS or beta software in a business/production environment? Most businesses that I know of won’t use an OS that’s even been released in the last 6 months let alone still in beta. My last employer (a worldwide company) didn’t start using XP until a year after it was released. They started testing it 6 months after it was released. Cutting edge is acceptable to business more often than not, but bleeding edge is pretty much unheard of. Businesses don’t care to be Microsoft’s beta tools because it costs them money on several levels.

Server software statistics

Tuesday, October 10th, 2006

This is a response to a recent post by a fellow student. I had to respond and set the record straight:

It would be a really hard sell for someone to convince me to use open source within a company.

62% of the people running web servers disagree – they use Apache, which is open source. (Including Blackboard 😉 )

100% of the root DNS servers also disagree (can’t find a good link other than this).

Right around 78% of the top 500 supercomputers in the world are open source as well. (Choose “Operating System Family” from the drop-down menu)

Right around 60% of mail servers are also open source. (Yes, the survey is a little old, but you get the point)

If anything, it might be said that Linux/BSD/Open Source isn’t ready for the desktop. However, open source operating systems as well as software is pretty dominant in the server world. Hopefully this clears up a bit of confusion.

Quote of the week – October 9th, 2006

Monday, October 9th, 2006

Linux was made by foreign terrorists to steal money
from true AMERICAN companies like Microsoft who invented
computing as we know it, and are being punished for
their success…

Variations in exploit methods between Linux and Windows

Wednesday, October 4th, 2006

This document compares the same Oracle 9i vulnerability on a Windows system and a Linux system. It points out similarities and differences in using the exploit on each system. A very insightful read.

Here it is.

Google hack – what is my password?

Tuesday, October 3rd, 2006

It’s nice of Google to help us know what your…er…our password is.