How do you think "script kiddies" manage to hack places? using scripts. Such scripts are drawn up using all the disclosures about bugs.
Buggy? Angry? LET IT ALL OUT says Linus Torvalds
Linux overlord Linus Torvalds has articulated views on security at Linux.conf.au, and seems to be closer to Google's way of thinking than Microsoft's. Torvalds, along with Debian luminary Bdale Garbee, Samba man Andrew Tridgell, and kernel coder Rusty Russell spent an hour answering conference attendees' questions last week. …
COMMENTS
-
-
-
Monday 19th January 2015 15:39 GMT admiraljkb
Re: How do you think 'script kiddies' get away with it for so long
>>just because you don't know about the flaw doesn't mean no-one does.
@Magnus_Pym is quite correct. In the current era of a menagerie of criminal groups, government agencies (globally, pick a country, any country), and others like hacktivist groups, there are a LOT of flaws that are undisclosed, already found and WAITING for the right time to exploit. This isn't the good old days with a solitary kid in his basement hacking away for the lulz of it, its now serious business. Responsible/timely disclosure should be mandatory, because other people probably already know about the vulnerability and are holding the exploit for it in reserve until the "time is right".
-
-
Monday 19th January 2015 09:12 GMT David Dawson
No, the one does not follow the other.
Hacking tools are built by clever devs, yes. They are sometimes picked up by script kiddies, sure. Where the vulnerability information they are based on comes from is an open question.
There are established market places for information like this, which wouldn't be the case if it all came from public disclosure reports. It seems likely that a goodly proportion of the data publicly disclosed is actually being rediscovered by legitimate researchers, and is in use already as an attack vector.
Publicly disclosing ASAP in those cases is essential.
Part of the problem is that it's very often unclear when those cases are, hence some in the industry leaning towards general disclosure (as Google and Linus promote), and others leaning towards selective disclosure.
-
Monday 19th January 2015 12:35 GMT Roland6
>"There are established market places for information like this, which wouldn't be the case if it all came from public disclosure reports."
I think the main effect of encouraging quicker public disclosure will be to reduce the value of a known loop hole. With companies quietly sitting on bugs, they create a blackmarket for known exploits: So if I were to discover a vulnerability, it is probably in my interest to sell it on the blackmarket and the longer the bug goes unfixed the greater (hopefully) my return.
With public disclosure however, we significantly increase the exposure of a bug, making it much easier for "script kiddies" to hack something together "for a laugh" (remember the early PC virus's?).
Additionally, just as we've seen with services such as Virus Central, a public list permits the holder of an exploit to firstly assess whether anyone else has discovered the exploit and secondly to track it's closure; knowing these contributed to the value and hence price placed on an exploit.
Whilst the effects of this might be to make major companies such as MS et al. to be more pro-active on fixing bugs, I suspect a knock-on effect will be both an increase in price and a reduction in the current included service level, due to the additional costs being incurred in maintenance and support.
So I think that we need to be sure that bugs are 'publicly' disclosed in a way that facilitates their distribution to those who wish to guard us against their exploitation and those who will ulitmately fix the bug itself, but discourages/minimises disclosure to those who wish to exploit the bug.
-
-
-
Monday 19th January 2015 15:44 GMT admiraljkb
" look at the tie die"
>> Really! Professional shills ought at least to be literate. The correct spelling is "dye".
It might have been "Deutchlish" - then it would translate to "tie the shirt" ? If that is the case, they might have a point. Tied shirts like those worn by Daisy Duke and other backwoods beautys would be unprofessional in the workplace. Not that I've seen a Linux using Daisy Duke in IT yet.... *sigh* hehe
-
-
-
-
Monday 19th January 2015 09:14 GMT SolidSquid
True, but generally either those bugs have been patched and the scripts only effect older versions, the disclosure was done on the darknet rather than publically (so the developers aren't aware of the issue) or it was disclosed to the company first then publicly and the developers have decided it was't a big enough issue to be worth patching.
Public disclosure of a bug is a pretty small proportion of automated scripts, which tend to favour detecting and exploiting known existing bugs which just might not have had the patches installed yet and using that to get access to the server, and an internal IP for the network to access other systems (like the Sony server hacks back when Geohot was sued, the boxes used for entry hadn't been patched in years despite fixes for the bugs the hackers exploited having been released for some time)
-
-
-
Thursday 22nd January 2015 16:14 GMT Michael Wojcik
Re: "on the darknet"
Given we all know what it means,
The premise is false. I have no idea what "darknet" is supposed to mean, beyond "ooh, scary people have network connections".
it is now a good and useful word.
And even if the premise were true, I reject that enthymeme. Common meaning is not sufficient to make a word useful, except in the degenerate sense of "has some possible use". If it doesn't add some novel and productive connotation or rhetorical effect to the vocabulary, why is it useful in any practical sense?
(In this context, "good" is meaningless, so I'll ignore it.)
-
Sunday 25th January 2015 21:19 GMT Daniel B.
Re: "on the darknet"
The premise is false. I have no idea what "darknet" is supposed to mean, beyond "ooh, scary people have network connections".
It usually refers to hidden networks that allow connected users to remain anonymous, like Tor or Darknet (yes, there's an actual "darknet" called Darknet).
-
-
-
-
Monday 19th January 2015 09:25 GMT Tom 7
The best way to find flaws is to use the methods that should be used in testing in the first place: take part of an API and fire shit at it until it fails in a way you can take advantage of. Twenty years ago this was almost pointless but now you can exercise an interface with several tens of million different bits of crap in a second - a lot easier than reading the source code.
-
Thursday 22nd January 2015 16:10 GMT Michael Wojcik
The best way to find flaws is to use the methods that should be used in testing in the first place: take part of an API and fire shit at it until it fails in a way you can take advantage of. Twenty years ago this was almost pointless but now you can exercise an interface with several tens of million different bits of crap in a second - a lot easier than reading the source code.
Fuzzing and other forms of black-box testing are certainly important, but there's no justification for calling them the "best way to find flaws". That's simply wrong.
Historically, many important vulnerabilities that were discovered by other means - whether that's reading source code, manipulating multiple documented interfaces, or whatever - could not possibly have been discovered by fuzzing, because they require manipulating multiple vulnerabilities in ways that combinatorial explosion puts far beyond the reach of (pseudo-)random brute force. Tavis Ormandy's #GP Trap Handler exploit for Windows is a good example.
Analytically, it ought to be obvious that there can't be a "best" method of security analysis in any absolute sense, because requirements are situational. If I'm testing the part of my threat model that involves someone breaking into a data center and physically stealing drives, fuzzing APIs isn't going to do me a damn bit of good.
Many people want to condense IT security down to some simple set of rules. Ain't gonna happen. Complicated systems are complicated.
-
-
Monday 19th January 2015 09:25 GMT Lee D
If someone, anyone, a security researcher or some kid downloading something from the Internet, is able to tweak a setting and compromise a system... it DOES NOT MATTER the origin of that information. There are entire markets with 0-day flaws, there are flaws floating about IRC channels and Usenet, there are pre-built hacking tools just ready to download and craft your own version of any particular exploit.
The fix is not to pretend the flaw doesn't exist, couldn't be found by someone else, etc. It's to patch it. As soon as you can. As well as you can. Rather than bury your head in the sand.
And "testing" some of those patches is almost not necessary - the fixes are so simple as to be auditable quite quickly and only in very isolated components that serve one particular task.
Take the OpenSSL flaws. Some of those were hinted at and reported. When I looked through the OpenSSL code, it was a mess, but anyone with time on their hands and reason to do so could have found those flaws YEARS ago and kept a lid on it all that time. The fix is not to then go into a 90-day hiatus and eke out every second of non-disclosure. It's to fix the problem ASAP. For 90 days, someone in Google, probably several people, has KNOWN of that flaw. It's been in a database that probably dozens of people had access to. Any compromise at Google would have given someone a 90-day window of flaw execution. Why is it that people "don't trust Google" for years but all of a sudden they expect them to hold onto such a flaw perfectly and never reveal it.
It's a flaw. Someone knows about it. Fix it. Whether that someone is your own security team, a security researcher (of course, they are ALL trustworthy and would never sell their skills on the black market on the side....), or some kid on the Internet. Fix the damn problem.
-
Monday 19th January 2015 12:33 GMT Anonymous Coward
"How do you think "script kiddies" manage to hack places? using scripts. Such scripts are drawn up using all the disclosures about bugs."
So? It's not the fault of the one who discloses the flaw.
People seem to misunderstand the "full disclosure" concept. It does NOT mean: I find a bug, I publish it right away.
What it actually means is: I find a bug, I inform whoever is in charge of the code, I give them a reasonable amount of time to fix it, I may even remind them after a while. If they still choose not to do anything about it, Joe Public has the right to know that the product he uses is being neglected by the people who provided it to him.
Google's 90 days limit seems reasonable enough. Most disclosers wait even longer.
Many reports also include a working example of how to abuse the flaw (exploit) or even an explanation or even a code example of how to fix it! If $provider chooses to ignore flaws over extended periods of time, they obviously don't give a toss. Going public is the only way to force them into doing something about it.
-
Thursday 22nd January 2015 16:17 GMT Michael Wojcik
How do you think "script kiddies" manage to hack places?
A better question is why do you think your ignorant and trivial argument is interesting?
As Linus noted, and as I and other commentators have mentioned several times in these discussions, the question of responsible disclosure has been publicly and prominently debated for decades. What in the world would make you think that this sort of handwaving observation, even if it were true (and it is not), would be any sort of contribution?
-
-
-
Monday 19th January 2015 09:58 GMT Anonymous Coward
Re: No need to be a dick.
But if enough people kiss your arse even when you are a dick then there's no reason to behave differently.
Year of the linux desktop? Not while the public face of linux and the internet voices of it's devotees remain so pompous, arrogant and just downright unpleasant...
-
-
Monday 19th January 2015 13:17 GMT Androgynous Cupboard
Re: No need to be a dick.
Who do you want building your kernel? Someone who eats, breathes and sleeps it and will trample over anyone and anything to do so, or someone that's aware of the "wider picture", the business case for delayed releases, the internal policitcs of large organisations?
There is room in this world for single-minded, borderline autistic obsessives - I want them building my kernels, my braking systems and my parachutes.
-
-
Tuesday 20th January 2015 14:42 GMT Tom 13
Re: Who do you want building your kernel?
If you're willing to admit that coding skills and social skills are on independent axes, why do keep being a dick and insisting only people who have both can code important projects?
I'm always amazed at how many people love Hugh Laurie in House, yet rant endlessly about such people when they are real life bosses.
-
-
Tuesday 20th January 2015 12:31 GMT Anonymous Coward
@Fandom: Well, when you talk about "pompous, arrogant and just downright unpleasant"...
... you certainly know what you are talkin about.
I am rubber you are glue! Hey, if we're going to just so the "No, you are!" argument, let's do it properly.
Difficult to judge my pompousness from one anonymous post though. Torvald's is all over the internet....
-
-
Monday 19th January 2015 11:51 GMT yossarianuk
Re: No need to be a dick.
> Not while the public face of linux and the internet voices of it's devotees remain so pompous, arrogant and just downright unpleasant...
So Enterprise, phones, tablets, toasters, watches, fridges, cars, etc are fine with such a person.
Why does the desktop need nice people again ?
-
Monday 19th January 2015 16:05 GMT FIA
Re: No need to be a dick.
"Year of the linux desktop? Not while ..." Microsoft maintain a monopoly on IT in the workplace and consumer focused computing increasingly moves to tablets and mobiles. (and Macs).
;)
Jobs was a dick and people still seem to like his shiny shiny.
Most non techie* desktop users don't even know who Linus is.
(*Aside: I really wanted to write 'techy' here, but I couldn't stop thinking of Mr Flibble).
-
Thursday 22nd January 2015 16:20 GMT Michael Wojcik
Re: No need to be a dick.
Year of the linux desktop? Not while the public face of linux and the internet voices of it's devotees remain so pompous, arrogant and just downright unpleasant...
So true. Why, Windows would never have become popular if Gates and Balmer weren't so damn charismatic. And the Apple OSes also clearly owe their success to the modest charm of Mr Jobs.
Really, I can't think of a single OS that doesn't owe its success to some saintly technical leader.
-
Monday 19th January 2015 13:08 GMT phil dude
Re: Sounds like he needs a kernel upgrade
and yet you're A/C, so how do we know what *you* do for a living?
Seriously, I get why LT is not concerned about his social persona.
Perhaps there is the lesson about meritocracy here?
Have politicians blinded us all with their "polite but incompetent" veneer?
There is short enough supply of competent people in this world, LT seems to have found the groove that plays the nicest tune...
P.
-
-
Monday 19th January 2015 09:36 GMT jake
There is a difference between asshatery and "not-my-problem & I'm tired of hearing about it".
"Might Torvalds have been aware of Google's twin disclosures of as-yet-unpatched Windows flaws last week? Sadly that question didn't come up during the talk."
Methinks Torvalds doesn't give a shit about Windows flaws. Not his problem. Nor mine.
-
Monday 19th January 2015 10:02 GMT Anonymous Coward
So he admits it
He is unfit for the workplace. He may well be the darling of the penguinista fanbois, but that is no excuse for him being aggressive and insulting. If he wasn't idolised so much he would have been fired a long time ago for bullying.
If Linux wants to be taken seriously, they have got to find a better poster-boy.
As for 5 days to disclosure...no wonder Linux is derided. Some people have real work to do and can't spend 24/7 sat on the command line recompiling their kernels because some amateur screwed up. Again.
At least with professional software you (usually) get updates at a predictable cadence and can plan the patches. Seems Mr Torvalds would rather have us firehose the damned things and that just won't happen.