Re: Re: January 15 is Personal Firewall Day,help the cause

[jan.muenther () nruns com]

> > at the risk of sounding like a Win32 advocate...
>
> No, you don't. :-)

Phew. :)
> > 0), but hey, it sure is a step forward. They've been lambasted badly and
> > earned it, but they're making progress for sure.
>
> Anything else would be pretty pathetic if you take into consideration
> their financial potential that would enable them to throw in a hundred
> full-time developers to audit ANYTHING they have ever written and sold
> during the last two years.

The problem MS have is that their codebase is *gigantic* and that large
parts of the code have been written by outsourced companies who are long
gone. So, partly, even MS themselves have very little idea of what their
code actually *does*. Bad point to start from. 

> The reason Microsoft is not auditing more software is that their
> priority is still on profits and not on security. This is the difference
> with projects like OpneBSD. They don't work to make profits. They work
> to publish the most secure Unix system there is.

This, however, is *totally* not restricted to MS. In fact, a lot of systems
only become vulnerable due to incredibly badly written and largely untested
application software. This is something people like to forget about, you can
have a fully patched killer system, if your application is vulnerable, you
might be toast anyway. I see that every day in my job. 
> basically this shouldn't be too much of a hassle since ActivePerl isn't
> too bad.

<insert my usual Python advocacy> ;)

> I can't remember ever heaving read something about a firewall built in
> Windows when browsing the Windows manuals. It doesn't spring into your
> face to say the least.

Well, I was surprised to see that in XP it actually clearly tells you about
the Internet Connection Firewall and what it is when you create e.g. a
dialup or PPPoE connection. 

> Well, I simply don't understand why MS is shipping Windows with an AOL
> link on the desktop instead of a "Enable Firewall" link.

I know, it's sick. But I have to remind you of the fact that the
"point'n'click" firewalls in recent Linux distros are a relatively recent
thing as well. MS is just moving very, very slowly. It's a Leviathan.

> Security doesn't seem to be a priority as long as MS products sell
> without it.

That doesn't only apply to MS. To my mind come names like Oracle, SAP,
IBM... you name it. It's a general problem. 

> Of course. But the point I am aiming at here is the fact that VERY often
> patches for well known security related bugs in MS software are not
> available for weeks or even months.

Again, true. And again, that's not a genuine MS problem, it's a problem with
people who don't understand their own software, or try to ignore it until
the first worm appears or public pressure becomes unbearable due to other
facts. 
> who used to offer a list about unpatched bugs in MS software on his
> company's site. The list contained more than 30 unpatched bugs that
> could be exploited at the time he took the list offline. He is doing
> business now with Microsoft, so full disclosure isn't an option anymore,
> I guess.

Thor did great work there, and if he now works with MS and helps them fix
their stuff, I have no moral problem with it.  
> Comparing this to Linux and open sourced Unix systems you'll agree that
> bugs are available VERY fast and critical bugs don't go without patches
> or workarounds for weeks to come until they are revealed.

True. On the other hand (I *know* people will kick me for this), OSS is more
likely to be perused for vulnerabilities, since you can simply read the
sources. It sure helps to enhance the overall code quality in the long run,
but it also makes 0days somewhat more frequent. 

I have some simple proof for that: While exploitation on open source
platforms like Linux has really gone to some pretty esoteric levels, you can
still find vulnerabilities like classical buffer overflows and format string
bugs in commercial Unixes (I think Georgi Guninski had already pointed that
out ages ago). 

Of course closed software isn't more secure. It's just harder to search for
vulnerabilities, since not everybody who can read C can also handle IDA and
a debugger of choice. 

> would have to compete with a mighty host of free and high quality open
> source programs that come without commercials and offer the same or
> better usability. Guess what the consumer is going to chose.

Hm. Are you saying Mozilla is better than Opera?

> Concerning your /etc/passwd file. It's shadowed, isn't it? So even if it
> got sent to someone he'd have to crack it with john or something and
> count on weak passwords. If you chose your passwords with more than 9 or
> 10 letters/signs randomly than he'd be busy 60.000 years for just one
> password if he can do 10.000.000 operations in a second.

Dude, it was only /etc/passwd, which in FreeBSD is hardly more than
decoration - I guess the point was collecting usernames. Of course it's
shadowed, and the shadow file is not world readable. This isn't HP-UX 10.20
:)
> > Hm, no. NTFS actually supports ACLs straight out of the box.
>
> Well, why can I browse the file tree and even change stuff on a default
> Windows 2000 installation that doesn't belong to my user?

Because the default install allows you to. Btw, in a lot of distros umask is
set to values which beautifully allows you to traverse the file systems at
will, including other people's home dirs (you can't read their files
though).

> If there IS the possibility to use these restrictions why doesn't a
> default installation use them to full extend?
Because it would make games harder to install, I guess. I've seen some
labeling his Windows "AGN" all over the place. It stood for "Advanced Game
Loader". 
> > With runas, you can switch the security context of the current user to run a process with
> > different credentials.
>
> This is new to me. Is this a feature of Windows 2000 or has it been
> introduced in Windows XP or 2003?

Windows 2000 Professional onwards, I think. 
> that the "one-click" installation doesn't require the prompt for a root
> password. This is insane. The people selling this should be punished by
> cleaning every infected box themselves, worldwide and 24/7.

Please please... this isn't a genuine MS problem and not only Lindows folks
are guilty of it too, tons of products have that. 

> > Authority / SYSTEM - the IIS5, I mean, IIS4 did run as system. Then again,
> > come on, a lot of Unix services run as root as well, at least on classical
> > Unix systems. 

> I'm actually not aware of any daemon offering external services that
> doesn't have its own user linked to it.

inetd comes to my mind, tons of sendmail or bind installations, sshd until
recently... 
> The only way to get Microsoft to improve security is to put pressure on
> their profits. This is the only lever that actually can move anything
> inside Microsoft. This is the difference to other software projects that
> don't have this lever.

I'd love to see liability laws applied. 
> If Microsoft doesn't know how to offer the features without opting out
> of security then they should strip that feature. It's as simple as that.

Well, the problem is they're still aiming at backward compatibility in hash
format, which I find odd, since they seem not to have any scruples to push
their new Office versions onto the market through using incompatible
document formats. This sucks.
> I'd love to know more about that. I thought that since Linux itself
> doesn't come with a way to decrypt the password file other than using
> brute force (with john or something) this is as "safe" as it can get.

Actually, it's best not to use passwords at all. They really suck, as a
matter of fact. But what I was referring to is that Windows is actually
using access tokes (I'll explain it in a private mail soon).
> There is a lot of truth here. How can administrators know enough about
> their Windows system and its software when it's very hard to obtain
> "full disclosure" information on closed, propriety software which is
> very often poorly documented?

This is a very common misconception. There is actually plenty of information
material on Windows internals and the possibilities of enhancing its
security out there. Ironically, a lot of good stuff comes from MS Press. 
> Those are the "I did switch recently and I feel SO safe now" users. As
> soon as they use Linux for a certain time then they get to know that
> there's more to security then the right software.

I have to disagree. From my experience, these are pretty often also Unix
administratoes with 20+ years on the job, who refuse to allow the thought
that there might be something wrong with using e.g. r-services enter their
heads.  

> OpenBSD does offer a very high level of security "out of the box" even
> if not updated for a while. They had about a handful of remote exploits
> on a default installation in about 7 years. This same amount of remote
> exploits did occur within just two months in some Windows system.

I like w^x, it's cool. But still, I've rooted OpenBSD systems because people
chose dumb passwords and didn't patch against (not so rare) local
vulnerabilities. Again, assumptions can break your neck. 

Have a good day,
J.

P.S.: Why the fuck am I posting 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html