Greetings From Jim Dennis
Well, the book is done at last. It's off to the publishers and beyond our control. Naturally M and I are are already thinking about things to improve for the second edition.
Meanwhile in "Answer Guy" land I was a bit surprised by the reaction to my comment on Bernie's "parenting" from last month. I expected a few flames, and maybe one or two notes of agreement. Naturally I hesitated to even respond to the question at all.
I figured someone would toss the old "what do you know about being a parent?" bomb at me. Of course, I don't know anything about "being a parent;" not first hand, so far. However, that's not the reaction I got. I had several people drop me notes and come to me in person to say how much they agreed with me. At least one was a grandparent.
However, I did neglect to add one thing to my flame. Normally when I "flame" someone (in my column or in e-mail/netnews) I also answer their question. In this case the answer to Bernie's question came within a couple of weeks after I wrote my response to him.
- Back Orifice 2000.
This package, a freeware (and open source) product of the cDc (Cult of the Dead Cow) offers just the features that Bernie was looking for. Using it you can perform keystroke logging, take screen shots of your victim's work (or play), redirect their TCP/IP traffic so that it all goes through your system, play with their filesystem (almost undetectably) and (of course) surreptisiously install any other software you like.
The BO2K server runs on NT, Win '95 and Win '98 (and on the most recent betas of Win 2000, from what I hear). There are clients for Win32 (of course), and command line clients for Linux and other forms of UNIX. Since BO2K is open source it can probably be ported to as many other UNIX-like operating systems as you like.
It might be interesting to see what happens when some programmers start combining features of BO2K with VNC (Virtual Network Computing) a package which provides GUI remote access to Win32 and MacOS platforms. VNC clients are available for Linux, Win32, and Java (among others).
Both VNC and BO2K are released under the GPL, so they should be license compatible. We don't run into the sort of problem one would face when trying to mix BSD and GPL code (for example).
Of course BO2K was released after my message to Bernie. However it is an upgrade (a complete re-write, from what I've read) to the original BO. BO was released last August. The fact is that I didn't know much about BO. I'd heard about it, of course. However, I don't administer any Windows systems and I have no interest in using trojan horses. So I simply filed it away as evidence of vulnerabilities in "that legacy operating system from Redmond."
UNIX and Linux are riddled with vulnerabilities. We find new buffer overflows and race conditions every week. Most are simple programming errors that are fixed as quickly as they are found. Occasionally we find exploitable flaws in the kernel (like the LDT, local descriptor table, bug that Linus found a couple of years ago). Those are also fixed quickly.
This suggests that the design of UNIX is relatively sound with respect to security, since the bugs are at an implementation level. They are easily fixed.
It also suggests that the design is limited. It is very difficult to write "secure" code for Linux and UNIX. In particular it seems that the standard C libraries are a poor base for writing robust applications code. The most straightforward ways to accomplish many operations in C through the standard libraries (scanf(), printf(), system(), popen()) are simply inappropriate for working with untrusted data or being run in any security context other than that of the user who is executing it. In other words, SUID and SGID programs, and daemons should eschew many of the standard library functions. The programming expertise required to distinguish between the "safe" practices and those that are exploitable provides us with a severe limitation to the security of our systems.
I asked a programmer and design engineer (the major force behind the design of the Corel Netwinder) about the sorts of bugs that are exploited by BO2K to gain full control of NT and W2K systems. Basically I asked if the released version of W2K could fix these holes to prevent BO2K from being used as a trojan. He said that the nature of these bugs is far too pervasive to be fixed by Microsoft in the remaining time before their final release. The APIs used by BO2K are apparently also used by many other products and parts of the OS.
I'm not a programmer. However, that does sound like a design level problem. It suggests that no amount of implementation effort will "fix" the problem. This is consistent with other things I've heard and read about NT since before version 3.0 (the first release).
So, I'm glad I invested the time to learn UNIX and Linux rather then spending the time in the rat's wheel to learn the guts of NT. The important things that I learn about Linux are applicable to other forms of UNIX, and will be around for as long as these operating systems exist. The few things I learn about NT and other MS operating systems are going to be obsolete within one or two future releases of the system.
The whole issue of BO2K as a "trojan horse" is interesting. Naturally Microsoft would like everyone to focus on the "hacker" (cracker, actually) image of the cDc. They characterize BO2K as purely malicious. The cDc makes this easy with their irreverant attitude and provacative "marketing." I personally don't like the name of the group or their product. However, it would be shooting to messengers to discount the value of the package based solely their name.
BO2K is just a tool. It has no ethics. It has legitimate uses. It can be put to unethical uses. The exploitable flaws that allow it to be used perniciously should be fixed.
A Melissa or WinExplorer.zip style delivery of a BO2K derived trojan is a major security risk for all organizations that rely on Win32 based systems (NT, '9x, and W2K).
We can be thankful to the cDc that they chose to publish these, so that everyone including Microsoft has a chance to address the real problem --- and we can only wonder how long these bugs have been secretly exploited by more clandestine groups and individuals.
In last month's blurb I talked about the Linux reaction to an "offensive" messenger (Mindcraft). My point was that the Linux and Apache developers didn't ignore the message while discrediting the messenger. We'll see if Microsoft can learn from that example.
Meanwhile, Bernie, if you're reading this, feel free to use BO2K. I'll let you wrestle with your own conscience and come to your own conclusions about the ethical implications and practical repurcussions of *how* you use it.
In the past I've occassionally tried to honor a "tech of the month." Unfortunately I haven't had the time to maintain that as a tradition. This month, for variety, I'll point to a "link of the month:"
- Linux Games - Even Penguins Like To Have Fun
Meanwhile, if you haven't had enough of my writing for one month, look to the Linuxcare Inc. web site in coming weeks. I may be writing to a more "corporate" audience there on a regular basis.