http://www.net-security.org/article.php?id=309

[Real World Linux Security 2/e by Bob Toxen is available at Amazon.com
for $34.99 - http://www.amazon.com/exec/obidos/ASIN/0130464562/c4iorg ]

by Mirko Zorz
16 December 2002

1. Who is Bob Toxen?

I am cut from standard geek material. I love science fiction,
especially Star Trek. From the time I was 14 I was hooked on
computers. I was introduced to them with the APL language on the
mighty IBM 360/91 at IBM's T.J. Watson Research Lab where my father
was a research physicist.

I have lots of electronic toys and have more computers in my house
than I can count -- all running exclusively Linux. I love music,
especially Gothic, Industrial, and Blues. I dabble in high voltage,
pyrotechnics, and holography. For more excitement, I fly my plane, a
Piper Arrow, around the Eastern United States and Canada.

At Berkeley we competed for who had the best program, with the most
features, most resistance to bad data, was written in the best style,
and which ran the fastest. This was good practice for being a
programmer and later for doing computer security. This obsession for
quality seems universal among Linux developers and lacking in some
proprietary software systems.

I was one of the four programmers who ported Unix to the Silicon
Graphics hardware for them. Later, I wrote a NFS server for Stratus'
non-Unix operating system, debugging it with a LAN analyzer. I wrote
several more network servers, one to track Space Shuttle payload data
for NASA. This was good training for network security as I learned
protocols down to the bit level. It enabled me to understand
vulnerabilities and defenses down to this level too.

How did you gain interest in computer security?

I was a sophomore at the University of California, Berkeley in 1975
when lots of exciting Unix work was being done. Unfortunately,
undergraduates were not allowed to do Unix research at this public
taxpayer-funded university by "the powers that be". Myself and a few
friends solved this by breaking into the Unix system and conducting
research without permission. Despite the best efforts of the
SysAdmins, we did this for about three years straight until we
finished school and headed for the salt mines of Silicon Valley.

One of my original ideas was hacking the kernel so that instead of the
erase character being a "#" character, erasing would generate the now
universal backspace-space-backspace sequence to obliterate the now
erased character. I did the same for line erase, replacing the ""
character with however many backspace-space-backspace sequences were
needed to erase the entire line on the screen. Doug Merritt helped
with this work.

I created the "lock" program to lock a terminal as a convenience over
logging out to maintain security. I started enhancing the Unix Version
6 shell before Bill Joy started on csh and Dr. Bourne did the Bourne
Shell. Doug Merritt added vi-like editing to the shell. All of these
things now are universal on Unix, Linux, and even Windows but we came
up with the ideas.

Our interest in security was to stay in control of the system to make
improvements to it as well as the technical challenge. We never
damaged anyone's data though the SysAdmins spent lots of time to try
to get us out. They never caught Doug, Ross, or I, however hard they
tried.

It was wrong for us to do this without permission and, instead, we
should have found a sympathetic professor to arrange for us to get
legitimate access. One of us (not the three named above) was arrested,
spent a night in jail, and had to fight to avoid conviction due to our
activities. This was my only less than white hat activity.

What are your favourite security tools and why?

IP Chains/IP Tables
This is the "Killer App" that allowed Linux to be a good
Enterprise-class firewall. I find it far easier to configure than
Cisco's Pix, cheaper, and more versatile; IP Tables offers all of the
features that most organizations need.

I wrote 60 pages on IP Tables in RWLS 2/e that includes "Tips and
Techniques" for easy rule set creation and debugging, a detailed
comparison of IP Tables with IP Chains, and complete IP Tables scripts
for SOHO and medium organizations that want a DMZ.

Logcheck (my enhanced version)
Logcheck takes the tedium out of properly checking your systems' log
files for attacks and illness. I find it better than other tools, such
as LogWatch, that either do not catch enough problems or do not
discard unimportant events. I recommend that anyone running LogWatch
immediately replace it with Logcheck.

My enhancements including fitting each IP Chains/IP Tables entry on a
single line, being able to page the System Administrator for major
problems, and not repeating "Attack" entries in the "Violations"
section and not repeating "Violation" entries in the "Unusual"
section. This encourages one to read all sections, knowing that it
does not contain repeated data.

This version is on the CD-ROM that comes with the book and has been
submitted back to Logcheck's original author.

My own Adaptive Firewall
It runs on top of IP Chains/Tables ("The Cracker Trap"). It locks an
attacking system out of one's network within a fraction of a second.

Nmap
Fyodor's wonderful tool allows a thorough analysis of a firewall,
network, or system very quickly and easily. Both SysAdmins and
crackers use it daily. I even use it to see if an e-commerce site has
made an effort to harden its server before I trust it with my credit
card number.

Arpwatch (my enhanced version)
This wonderful tool allows the SysAdmin to know when someone connects
a new system to the network or changes the IP address of an existing
system within seconds. This is critical to ensure that users do not
install "rogue" systems without authorization.

It also is useful to detect if any systems become compromised. In the
latter case, the better crackers will change the system's IP address
to an unused one to make it harder to track down which system was
compromised. With Arpwatch, one will know which system was changed
unless the cracker changes both the IP address and MAC address
simultaneously. In this latter case one still will know that a rogue
system has appeared suddenly.

Arpwatch was created by Craig Leres of Lawrence Berkeley Labs and I
have enhanced it extensively to be more useful for large networks with
multiple subnets and to properly detect bogons. Bogons are systems
whose IP address is incorrect for the network that they are on. Bogons
indicate systems that are incorrectly configured or compromised.

Ethereal
This wonderful program allows fast real-time analysis of packets
traversing a system or network. It allows localizing a network or
firewall problem, verifying that a VPN actually is encrypting its
data, etc.

How long did it take you to write "Real World Linux Security, 2/e" and
what was it like?

It took about three months of 90-hour weeks to finish the manuscript
and a few months of "normal weeks" for the post-manuscript production
to produce the finished book. This was on top of about six months of
120-hour weeks to create the manuscript for the first edition and
three months for production.

What was it like? Pure hell. I worked mostly at night because I am
more creative then and there were no interruptions for email or phone
calls. My friends thought I abandoned them because they never saw me
and I kept sending my girlfriend away for weekends, camping, to visit
her mother in Washington, DC, and elsewhere. My good friend, Stan
Bootle calls it "Writer's Widow".

I slept very little. I did just enough for my clients so that they did
not find someone else to help them. This obsession resulted in a much
better book. I saw my contribution to Linux and Open Source was to
help secure it. While Linux (and Unix) is capable of very good
security, people did not know how. With my knowledge of security and
some ability to write I saw this as my greatest contribution to Open
Source. The book also is very useful to Unix System Administrators.

What's your take on the adoption of Linux in the enterprise? Do you
think it will give a boost to security?

Linux continues to "Eat Bill's lunch" and that of the Unix vendors.
With the desktop work that has been done recently and several
Distributions' work for easier installs, Linux is ready to take over
the desktop market too. I think that the poor economy internationally
has helped Linux.

Any old PC can run Linux quickly for no money and troublefree
operation. The latter means far less support costs. Microsoft just
announced that it no longer will support its flagship Office for
previous Windows versions, to "force" people to buy its new stuff; I
think many will switch to Linux instead.

SuSE just announced its Open Exchange product. There are several Open
Source Linux-based clients for MS Exchange. Almost everyone has heard
of Linux now. IBM advertises it on television. Non-geek friends want
to try it.

What do you think about the full disclosure of vulnerabilities?

Full disclosure of vulnerabilities forces vendors to fix their
security problems quickly and it counteracts the lies of insecure
vendors that their software is secure. This seems to be why Microsoft
is lobbying the U.S. government to outlaw full disclosure and
Hewlett-Packard (HP) is trying to imprison someone under DMCA who
disclosed HP vulnerabilities. It was disclosed only after HP refused
to acknowledge the problem or repair it.

What are your future plans? Any exciting new projects?

Since finishing the book two months ago, I have created a Linux-based
Enterprise-class Virus filter and Spam filter and installed them at
various clients. I am finishing an article on a novel way to trace
Distributed Denial of Service (DDoS) attacks so that they may be
stopped much faster. I am growing my network security consulting
business.

What is your vision for Linux in the future?

Linux will replace Windows and Unix as the universal operating system
for everything from embedded systems and PDAs to the biggest systems.
Linux's Open Source nature and the peer pressure from its users will
prevent Microsoft, IBM, or anyone else from forcing people to use
inferior proprietary software again.

More governments will join China, France, and Mexico in officially
preferring Linux over Microsoft for its better quality and lower cost
of ownership. There is a Chinese edition of Real World Linux Security
from China Machine Press.

People will have personal lives again rather than having to reinstall
their Windows systems or retype their documents every weekend
following crashes.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]