AW: [suse-security] [Flame] A Disservice to the Linux Community
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/ -----Ursprüngliche Nachricht----- Von: Ken Schneider [mailto:kschneider@rtsx.com] Gesendet am: Montag, 5. November 2001 14:38 An: suse-security@suse.com Betreff: Re: [suse-security] [Flame] A Disservice to the Linux Community
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major
SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date. If YOU were a programmer/exploit developer and had found this bug yourself, you would be free to release this information to the general
organisations. public first without giving the linux developers time to develop a fix. As it is, from a google search I can find no useful contribution from you regarding anything, not even help to someone else on a mailing list.
Please go back into your corner, sit down and shut up.
Feel free to speak again when you have something productive to offer </flame>
Not enought coffee today ...
Bravo, bravo. This guy does need to sit in a corner! I feel you took the correct route by NOT announcing a major kernel bug to people that could exploit it BEFORE having a fix available, including any competitors having a fix or knowledge. -- Ken Schneider Senior UNIX Administrator Network Administrator -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Mon, 5 Nov 2001, Bitzer,Gerd wrote:
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/
Exactly. Microsoft needs people to shut up about security flaws because they only have the number of developers that they can pay. They can't develop patches faster than crackers develop exploits. Linux doesn't have that problem. Scott Culp's "Information Anarchy" speech here is explaining how companies like Microsoft can't survive in a world where security flaws are known immediately upon discovery. In his sad little universe, progress is very slow and security is very expensive and working on it blocks development of profitable features, and that makes disclosure a bad thing. Bear
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/ I think so, too. The particular bug, that has been found is not really severe, as far as I understood it (you have to guess a 24bit syncookie). I don't think that there was anything that spoke against full disclosure. What SuSE did was _maybe_ good from commercial side, but absolutely not from free and open source side. This makes me a bit sad :(
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \ Linux 2.4.13 * Now playing Stereomud - Lost Your Faith
YuppaDuppa, On 05-Nov-01 Bitzer,Gerd wrote:
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/
:)
-----Urspr�ngliche Nachricht----- Von: Ken Schneider [mailto:kschneider@rtsx.com] Gesendet am: Montag, 5. November 2001 14:38 An: suse-security@suse.com Betreff: Re: [suse-security] [Flame] A Disservice to the Linux Community
<flame> You sir are an idiot.
What we are talking about here is a pretty major bug in the Linux kernel. Linux is now a mainstream product that is used comercially in many major
SuSE have done the responsible thing by giving the other comercial distributions a limited window in which to bring their distros up to date. If YOU were a programmer/exploit developer and had found this bug yourself, you would be free to release this information to the general
organisations. public first without giving the linux developers time to develop a fix. As it is, from a google search I can find no useful contribution from you regarding anything, not even help to someone else on a mailing list.
Please go back into your corner, sit down and shut up.
Feel free to speak again when you have something productive to offer </flame>
Not enought coffee today ...
Bravo, bravo.
This guy does need to sit in a corner! I feel you took the correct route by NOT announcing a major kernel bug to people that could exploit it BEFORE having a fix available, including any competitors having a fix or knowledge.
Hmm... a full disclosure debate on SuSE sec, and I was on vacation. Shame! ;) Well... On Bugtraq, every now and then this debate breaks loose, and in the end the whole thing usually turns into a flame fest. Funny to read, but dangerous to reply! :) The questions: Do *all of us* have the power/knowledge/spare time/etc. to actively counter any kind of new vulnerability, e. g. by developing patches or other counter measures? Do *we all* know how to code in C, search for kernel vulns, wade through tons of esoteric sec or network techniques? The answer: No, most of us don't. There are some who could have coded their own patch, and naturally they think that this kernel-vuln-issue should have been announced earlier. In this special case, with a kernel-vuln at hand, I think it was the Right Thing to wait for a proper patch before making the stuff public. Kernel stuff is way more complex than a simple buggy demon. I only hope this case will not be standard in the future. Normally, I'm a strong supporter of full disclosure, because it's a free OS we're talking about. Saying that there are "commercial" companies with a commercial interest in delayed disclosure is not very helpful. Information is free, and will find a way to be free if it is cut down. There's plenty of info in other corners of the 'net, so we here and the Bugtraq ppl should not believe the hype; if a new vuln will not be published on Bugtraq or SuSE sec, it sure as hell will be on 2600, in loads of news groups and on countless non-public BBS's, via ICQ/IRC, etc. Most ppl have no idea of the gray/black scene I fear. Exaggerated cutting of information will help the crackers, not the admins, because it does not affect the channels of information of the crackers, but official lists, like Suse's. No man is an island, no sec mailing list is, too. Bugtraq and SuSe sec are not the center of the security universe - our enemies are prepared. But with a general cut of full disclosure, we won't be. That's what bugs me.
Ken Schneider Senior UNIX Administrator Network Administrator
Boris Lorenz <bolo@lupa.de> ---
Speaking from personal experience as someone who has found a linux security bug or two, as well as problems in numerous other things, and generally been a pain in the ass to the linux security vendor teams for a while =). This problem was relatively minor. The chances of an attacker sucessfuly guessing a 24 bit syn cookie blindly are ... well.. about 1 in 2^24 (about 16.7 million) but unless you can send more then a few thousand packets a second it's quite hard, since those syn cookie number keep changing (gee, you think they designed it that way? ;). Basically you'd probably be best off sending a few thousand packets per second in the same range repeatedly in hopes of "synchronizing" with the target and getting in (which would be noticeable to almost anyone since their links would probably drop from flooding). But's let's assume for the minute the attacker has a whole lot of luck. They can guess tcp syn cookies perfectly. What does this accomplish? Access to firewalled ports on that machine. Sounds bad at first but it typically isn't. For example on my machine any service that is firewalled also uses hosts.allow/deny (if supported) or internal controls (i.e. apache/proftpd). So for anyone security concious with multiple layers the attacker still wouldn't get in. But let's assume you don't use tcp_wrappers/internal controls, and the attacker can connect. Well this means you need to be running a vulnerable service of some type. Which also means anyone with internal access can exploit it. But this is all a load of theoretical BS since guessing those syn cookies is exceedingly difficult without access to loads of bandwidth. And if you can monitor the traffic (enabling you to read syn cookies) you could just as easily tcp hijack a connection or do other (much worse) things. In other words the risk was very, very, very low (almost 0, not quite but close). I have not heard of anyone being broken into using this attack to get at firewalled ports. I would love to, since the forensic image of the disk would be very interested (likely to be a savy attacker with good toys/techniques). Announcing this earlier would have resulted in people using the workaround, i.e. removing syn cookies, which if someone is actively going to attack you is probably worse then the original problem. Remember, ultimately a lot of us security people would like to do as little harm as possible. This does not mean 100% full disclosure the second we learn about something, nor does it mean 100% silence and "install this patch, it's important, we can't tell you why". Each situation is different. Anyways that's the last I have to say about this. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
In other words the risk was very, very, very low (almost 0, not quite but close). I have not heard of anyone being broken into using this attack to get at firewalled ports. I would love to, since the forensic image of the disk would be very interested (likely to be a savy attacker with good toys/techniques).
I doubt that the chances are so bad to bypass the firewall rule. At 1 MBit/s there are about 18000 syn-ack packets that you can send. You have 3 seconds after you have triggered the syncookie mechanism to scan 16 million cookies, which gives you a chance of about 1/1000. Since you can repeat it with no problems, access to a syn-protected port is easily possible.
Announcing this earlier would have resulted in people using the workaround, i.e. removing syn cookies, which if someone is actively going to attack you is probably worse then the original problem.
Remember, ultimately a lot of us security people would like to do as little harm as possible. This does not mean 100% full disclosure the second we learn about something, nor does it mean 100% silence and "install this patch, it's important, we can't tell you why". Each situation is different.
Anyways that's the last I have to say about this.
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
Hi there,
Very interesting debate, it's the first time I'm noticing that opensource devoted people agree with the meaning of Microsoft: http://www.heise.de/newsticker/data/lab-18.10.01-000/
You should probably read this paragraph again. We _WILL_ post details about security-related fixes in update packages that we offer, it's just what we owe to the people who report the bugs. The fact that some information gets delayed for the sake of coordination has absoultely NOTHING to do with it.
Bravo, bravo.
This guy does need to sit in a corner! I feel you took the correct route by NOT announcing a major kernel bug to people that could exploit it BEFORE having a fix available, including any competitors having a fix or knowledge.
Generally, the experience in the past has proven that full disclosure is the best way to deal with security holes. This will not change, and it did NOT change this time either. It is not the first time that vendors and security professionals have coordinated not to go public with a hole unless everybody has the fixes, or at least has known of them for a certain time. This is a _regular_ procedure. On the other hand, it's "fire when ready" if a bug is known to the public already. If people want to have these details communicated to the public at the same time as the vendor knows about this, then our section 3) of the announcements is useless. We want people to report security bugs to the security contact address, and we want to have the bugs fixed before it gets known to the public, just because we have some kind of responsibility to the people who pay bucks for a box. We communicate these bugs to the rest of the distributing vendors and to the authors, where necessary. You could do that all on your own, but I guess that it might be easier for you and the rest of the world if you just apply an rpm command, don't you think? This time, the bug has only been known to the Linux vendors and some few sec specialists, because it was reported to and fixed by SuSE people (Andi Kleen). SuSE security benefits from the close and direct communication between the vendors, as much as the others benefit from the communication with us. If we had published details about the hole in our announcement on October 26th, people would have eaten SuSE alive. Fact is now that some few people start complaining now that a bug has been fixed that hasn't been known earlier in the public. It's not a privilege that the bugs get reported to us. It's work. Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - -
WARNING: THIS IS A SLIGHT FLAME IN RESPONSE TO RECENT POSTINGS, DELETE RIGHT NOW IF YOU ARE TIRED OF READING THESE POSTINGS. I WAS ALSO TIRED BUT NEEDED TO GET MY 2 CENTS IN: I have watched this thread now for sometime and feel as though my 2 cents might not hurt at this point. First, I have no ties to SuSE other than being a user of there distro who has looked at most other major distros and come back to what as it the most complete I've seen so far. Now, I think that the action taken by SuSE was completely correct. Rather than a)Letting some deviant find and exploit this problem, typical MS style always playing catchup or b)announcing the problem prior to a fix therefore giving said deviant the know how to exploit, SuSE first found the problem , might I say a great credit to the people at SuSE ;-) , then both fixed and informed other distributors of Linux of problem and fix, then announced the problem to the world when and only when there was a fix. I believe this is why we have distributions, so they can take in mass quantities of apps, test them, package them, and ship them out to us in a nice little box therefore removing the requirements of downloading half the software on the planet, testing, and hoping that no flaws exist. Further might I add that SuSE is the best one at this, think about it 7.3 shipped with 7cds, 2300+ apps, and an install routine I could leave my little Sister, who has little to no computer knowledge, to complete sucessfully. Where previous posts on this thread have gone to far in my humble opinion is to liken any LiNUX distributor to MS. Again in my humble opinion MS knows of security flaws prior to software release dates and either does nothing till the mainstream finds out or most often creates what is called a new version of it's OS, really a service patch/security fix, and sells it to customers touting it as the latest greatest thing in computing that everyone must have(think about 95-95b-98-98se-ME for example). SuSE is not like this, I have seen over several years that every effort is made by SuSE to provide a safe, secure, stable environment for it's users, one that provides rapid response to security related issues in software shipped with each version of the distro. I'll copy a previous post style for the moment: <flame> If you out there are unhappy with the way SuSE or any distrobution handled this or any security related issue I think one of two things needs to happen: 1.Stop using distros, try building your system from scratch, the tarball way and see how far you get and secure you stay 2.If you think you can do better create your own distro, ship it out to the people, and support it. Don't ever think that you or anyone not on the development team of a project has the right to attack those whose sole purpose is to provide a service to you. Again if the service is not good enough don't use it. </flame> I feel better now and I'm done. The only thing I was unhappy about was that my 7.3 shipped the day this announcement came out, which only sucks because I had to do major work to a new install even before it was installed, but SuSE you still rock and these haters need to roll on as we don't need their kind they only complain and destroy rather than help and build. Sorry for wasting bandwidth and again my hat's off to SuSE for again leading the way.
participants (7)
-
Bitzer,Gerd -
Boris Lorenz -
Duane Kehoe -
Kurt Seifried -
Markus Gaugusch -
Ray Dillinger -
Roman Drahtmueller