OpenBSD Journal

How to 0wn the Internet in Your Spare Time

Contributed by Dengue on from the oops dept.

I noticed this first on slashdot.org , " How to 0wn the Internet in Your Spare Time by Staniford, Paxson and Weaver. This paper will appear in the Proceedings of the 11th USENIX Security Symposium (Security '02).

Great title, and good analysis of the threat widespread infection by worms and trojans poses broadband connected users of less secure operating systems . The analysis is driven largely by Code Red, Nimda, et. al.

(Comments are closed)


Comments
  1. By RC () on

    Comments
    1. By elmalstard () on

      The following post deals about unsecure OS (targeting MS in particular...), but it seems that people have a very approximative idea of the security mechanisms in WinNT. If it was not the case, they would have known that it is more a pb of application than OS. In term of mechanisms, NT is far beyound other OSs, but it lacks of code audit like OpenBSD have.

      I often hear people saying that MS is bullshit and linux is god. Hey, wake up, a standard linux box is full of security holes...

  2. By RC () on

    When will someone throw personal responsibility into the internet? If someone chooses an insecure Operating System, doesn't patch it when an exploit has been found, and takes no additional security measures, they should be held responsible.

    Of course, if there's no patch for the hole, the responsibility passes to Microsoft, et al.

    It's so simple that I can't imagine why it isn't the case. It seems like the internet is the wild west as far as congress is concerned, and they only pass the laws that will allow them to pass the buck to companies, and let them do as they please...

    Comments
    1. By Anonymous Coward () on

      I agree, but if they would actually do this in practice, Microsoft would have dozens of lawsuits against it, at any given time, since there are (a) lots of bugs in their OSes, (b) lots of people use them and (c) it takes them quite a while to release a patch. So if they would be sued for all damage caused to people in the time between the discovery of the hole, and the release of the patch, they'd have quite a big problem...

    2. By edu () on

      I think people/companies with insecure systems that are used as decoys to perform attacks should be held equally responsible for the attack than the actual person who performed it. I.e. they should be punished for supporting a crime (by helping with infrastructure). At least that would make people think twice about using insecure systems.

      Comments
      1. By Anonymous Coward () on

        One of the reasons these kind of things are possible is that a lot of companies don't even _know_ that there are alternatives to Microsoft. The only things they see are Microsoft's advertising, and the preinstalled windows they got when they bought their computers.
        Also, something that is free immediately gets an image of 'low-quality' with these shortsighted people, especially when the commericial counterpart costs several 100$!
        There's not much one can do against a company which clearly has a monopoly and has by far the greatest budget for advertising. Free software (hardly) has the budget to do any advertising at all.
        So maybe a law like that would be a little harsh, but it would certainly open up some eyes, and enlighten minds.

      2. By Devil's Advocate () on

        So if your car gets stolen and used to run over a bunch of nuns crossing the street, you should be held responsible?

        Maybe you'll get the death penalty if you left your door unlocked.

        DA

        Comments
        1. By Anonymous Coward () on

          > So if your car gets stolen and used to run over a bunch of nuns crossing the street, you should be held responsible?

          Yes.

          If you leave your gun laying around the house, then you are responsible when your kid's friend steals it and kills his dad.

          If you let people caring knives pass throug airport security - you should be held responsible after they hijack an airplane and kill few thousand people.

          People should be held responsible not only for committing the crime, but for not preventing the crime when they could.

          Comments
          1. By Anonymous Coward () on

            > > So if your car gets stolen and used to run over a bunch of nuns crossing the street, you should be held responsible?

            > Yes.

            Only if you took no measures or obviously insufficient measures to protect your car. If you left your car door locked, kept the car alarm on, and put an anti-theft device on the steering wheel anyway, I don't think anyone could reasonably claim that you're responsible. Securing your car completely and thorougly is just as impossible as securing a computer system completely and thoroughly, and I don't think anyone is willing to lock their car in a safe, cover it in concrete, and bury it at the bottom of the Mariana Trench.

            > People should be held responsible not only for committing the crime, but for not preventing the crime when they could.

            There's a big difference between preventing the crime when you can, and preventing it when it's reasonably possible. Holding people liable for not doing the former when they did the latter is unethical.

            Comments
            1. By David () on

              > > So if your car gets stolen and used to run over a bunch of nuns crossing the street, you should be held responsible?

              > Only if you took no measures or obviously insufficient measures to protect your car.

              Just like using OpenBSD over Windows for your internet servers. :-)

              This raises an interesting point though, what if the administrators of all of the Windows computers responsible for Code Red 1/2 where held liable for damage to other's systems? A patch was out there, so you could say it's their responsability, and it would wake the world up to security, the moment you become exposed.

      3. By Anonymous Coward () on

        people/companies with insecure systems that are used as decoys to perform attacks should be held equally responsible

        someone breaks into my house while i'm on vacation and sells drugs out of it for a week. why should i be held responsible? because i couldn't afford armed guards?

    3. By mirabile () misc@openbsd.org on mailto:misc@openbsd.org

      I'm fully with you, my friend.
      If Joe operates some insecure system
      and does not ensure privacy and protection
      for data etc. he is going to be held
      responsible.
      There are even ways to protect some
      Microsoft(R) systems, such as putting
      them behind a OpenBSD firewall and
      running some "personal firewall"
      programme on them, alongside with
      a decent antivir programme, which
      both come for free.
      As for servers, there are measures, too.

      Lately I got flamed on http://www.symlink.ch/
      by P2501 for this opinion, but luckily,
      I'm not alone out there ;)

      Comments
      1. By Anonymous Coward () on

        you will soon be growing long beards a la Bin Laden (or Stallman, whatever is worse).

  3. By Anonymous Coward () on

    It should be an absolute requirement for ISPs to filter their customers upstream traffic so that no packets with spoofed source addresses are let out on the Internet.

    Comments
    1. By Anonymous Coward () on

      Responsible answer number 1.
      -ISPs could remove alot of the garbage on the net.
      -However
      Holding a software company financially responsible
      for the laziness of the people that use its software
      is a VERY bad idea. To keep it to the point.
      Microsoft could afford the lawsuits.
      OpenSource companies could not.
      -
      -
      Yes Microsoft made some very bad design decisions that
      left their software vulnerable. Yes I have a problem
      with MS.
      But. WHO CARES?
      Until the general population wises up these kinds of
      things will be possible.
      Until somebody notices that the people using a secure
      OS can sit back and laugh while the rest of the
      computing world has to run around like a chicken that
      just lots its head, with every new virus and worm.
      WHO CARES.
      No lawsuits. No lawyers. Buyer beware. End of story.

    2. By Anonymous Coward () on

      Eeek, don't try saying that to anyone who operates a backbone site. Sure, it's a great theoretical idea, but on any really, really big pipe, it's just not practical; there's too much traffic.

      The real solution is for every leaf node to filter at its internal border, but the logistics of educating and convincing every dumb admin that he needs to filter, and of then having him convince his bosses that he should be allowed to filter, and of then actually doing it, are immense. Some day I think it might happen, but that day is probably ten or twenty years in the future. In the meantime we're all screwed.

    3. By Anonymous Coward () on

      someone else already mentioned the backbone provider issue, so i wont repeat it. i will, however, say that an effective DDoS can be done with non-spoofed addresses. in fact this is already done in large measure, since most Windows boxes dont spoof (and most tools on Windows dont install winpcap to do the spoofing).

      as such, filtering by ingress/egress isn't a help from that perspective. filtering needs to be done, but its not the end-all-be-all solution. additionally, i tend to lobby for traffic shaping on a per host basis, as no single host should be able to consume a pipe. lastly, smart filtering practices and local proxies on well controlled networks can remedy a lot of this.

    4. By Gimlet () on

      And the State Highway Patrol should stop and search every car on the Interstate for false ID's and contraband.

      What universe do you live in?

      Customers don't pay for security, they pay for performance. Until that changes, I wouldn't hold my breath.

      Comments
      1. By Anonymous Coward () on

        > Customers don't pay for security, they pay for
        > performance. Until that changes, I wouldn't
        > hold my breath.

        Customers pay a lot for poor performance and even worse security. (M$)
        If they would pay less (OpenBSD), they'd get far better performance, and enormously better security.
        They would have to re-educate their staff, but I think that costs less than the money you save by not buying 10 windows licenses, but some OpenBSD cd's ;-)
        So in the end, it's a win-win situation ;-)
        Only too bad people are so sensitive to advertising :-(

        Comments
        1. By Anonymous Coward () on

          apparantly you're kind of stupid, so I'll go through this a little bit.

          MicroSoft gives good performance and much, much, MUCH better value to the average user. Sure, if you're some zealot weenie you can go "oh but we've gone through audits and blah blah etc..." but that's not what people are looking for. They want usability, which OpenBSD is *not* without taking the security down to about level with MS. The biggest difference between the two is default settings. MS goes for the lowest common denominator while OpenBSD goes for locking everything down.

          The training time, frustration, plus the switchover time for admins is IMMENSE.

          I hope this will help clear up some of your problems, but others just seem too big for this sort of forum.

          Comments
          1. By Anonymous Coward () on

            It is quite apparent that you know insanely little about this topic to be posting about it. Please, when you don't have any of the facts and you don't even know a thing about what you're thinking keep your thoughts to yourself.

          2. By Anonymous Coward () on

            I disagree.

            I'm not an experienced admin, though I am not a complete newbie either. I have far more experience with Microsoft OSes (about 8 years now) than with Open Source OSes (about 3 years) or OpenBSD (only a year or so).

            Though I got a (very) basic OpenBSD webserver up&running in only 30 minutes (that includes installing OpenBSD, setting up Apache (yeah, edit one line), ftpd, and transfering my files).

            I wouldn't be able to install a windows box in that time. Just a standard installation already takes far longer (depending on the speed of the machine of course), and they you don't even have the server-software running ;-)

            And that server is a 486 with 16mb ram and a 230mb hdd. I doubt windows would be able to achieve a performance anywhere near OpenBSD on that box.

            Admitted, on high-end systems, the performance difference is less noticeable, but on low-end systems, you do notice it!

      2. By Anonymous Coward () on

        bad example. and why care what the "customers" want or not, it's not their global internet, just enforce it.

        it's like saying "we should give guns to anyone who wants one, and not require licenses, since that is what the customer wants".

  4. By Anonymous Coward () on

    There is the low in many countries to place the warning on the cigarette boxes saying that it is hazardous to smoke. The similar low should force to place warning labels on M$ (and others) boxes stating that software is buggy and insecure. Then people would start to think about other solutions.

    Comments
    1. By Anonymous Coward () on

      Garrantie, that M$ would produce the most secure system all over the world in a year time.

      Comments
      1. By Marc Espie () espie@openbsd.org on mailto:espie@openbsd.org

        And that would be a bad thing because ?...

    2. Comments
      1. By Anonymous Coward () on

        From this I conclude you believe an incompetent admin is anyone who installs M$ software. Even the best admin cannot protect a system which is exposed to the internet at large when it contains a (large) number of unknown bugs which can lead to root compromised. M$ software is of such low quality wrt security that even a system that has all the latest patches-of-the-week installed will still contain major security holes. Just they haven't been found yet but they will be. I'm not suggesting any alternative software is bug-free but M$ has so many I'm surprised there's enough room left for functional code.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]