Something else to chew on

[PTS 0]

I was visiting a local computer store a few days ago. They had a Sony VAIO on display, but the screensaver was on and it was password protected. Now I really wanted to check this machine out, and I already knew it had Windows XP on it.

 

So............. I stopped and thought.. How can I get around this password.

It was really scary as to how easy it was to circumvent XP.

 

I manually rebooted the machine and went into safe mode. Now I could access all the files on the machine from there, and as if that was not enough on a machine that is supposed to be secure by having to log in with a password when WXP loads, I could actually create another account and give it administrator privileges.

 

Once I had this new account set up, I just rebooted again. This time I could simply log in with that account and have not only access to all files but complete administrator privileges. How secure is that? I have not tried this on my machine at home. I have my logins password protected.. one with administrator privileges and one without. I THOUGHT that anyone would have to know those passwords to gain access to anything. Wrong!

 

Just wondering what you all think...

 

PTS

[nebulus 0]

Relationship between security and user-friendliness is inverse proportional.

If you need a secure system get yourself a proper linux distro. That's what I think..

[Tomay 0]

Screensaver password isn't really a good protection. If the machine had a password for the administrator you couldn't do what you did.

[adamvjackson 0]

Quote:

If you need a secure system get yourself a proper linux distro.

Depending on the knowledge level of whomever configures the OS, Linux is not necessarily more secure than a well-secured Windows installation (2000 or XP). The only notable differences are the different security standpoints, Linux seems to be more 'secure' out of the box, by having most everything disabled. Windows, on the other hand, may need some services and security settings locked down after install.

Basically, whatever the OS, security is the responsibility of whomever installs the OS. At retail computer stores, they could care less if their systems are tampered with, as they will just reload the OS if necessary.

[nebulus 0]

Quote:

Depending on the knowledge level of whomever configures the OS (...)

Agree.

Quote:

(...) Linux is not necessarily more secure than a well-secured Windows installation (2000 or XP).

Well.. it depends on what distro we're talking about.. Lindows perhaps not, SE Linux - hell yes.. Even root has restrictions there!!

[jmmijo 1]

The other security option is to password the system bios for booting without the correct pass. I know most desktop boards have this option but most likely most notebooks/laptops do as well. So when you rebooted the machine it would ask for this pass at the bios post screen

 

Also note there are a number of hardware dongles that do this as well, boot off the USB ports and are keyed to the machine.

[sapiens74 0]

Linux and Unix had 2 times the vulnerabilities last year as windows based machines.

 

It all depends on the Admin.

[adamvjackson 0]

Quote:

It all depends on the Admin.

I agree, and that was the point that I tried to make in my above post. Any (current) OS can be secure, some require more work than others.

Quote:

Well.. it depends on what distro we're talking about.. Lindows perhaps not, SE Linux - hell yes.. Even root has restrictions there!!

I'm not familiar with that distro, but for the record, Lindows is Debian-based, so I'm sure if someone really wanted to lock it down, it could be done fairly easily.

[nebulus 0]

All I'm trying to say is that Windows on it's own isn't really secure.. Of course, you can get some 3rd parties software to make sure that it is, but bottom line is, comparing to any normal linux distro it's not.

 

Quote:

I'm not familiar with that distro, but for the record, Lindows is Debian-based, so I'm sure if someone really wanted to lock it down, it could be done fairly easily.

SE Linux is NSA's Security Enhanced Linux.. Uses mandatory access control, while regular linux/unix systems employ discretionary access control. Pretty paranoid stuff if you ask me

 

Well, when it comes to Lindows.. it's one pretty screwed up Debian. I mean, when you can get windows' viruses running then there must be something wrong with the system.. And if you'll start locking it down by removing some services and features that Lindows offers then it won't be a Lindows anymore, will it?

[clutch 1]

Or, you could just boot up off of one distro, and chroot into the one on the disk. Or, just simply move files off one-by-one as desired since the vast majority of filesystems available for Linux do not have very good permissions management available. It's bad enough that Open Source has been shown to have flaws in the concept when people can imbed worms into the source and make that available (such as when OpenSSH was compromised) or when the most common text editor (vi) has a vulnerability that would allow someone to take over a machine. Not to mention the "stability" of Linux-based desktop when I am running Gentoo, X, Fluxbox, and Mozilla, go to the nVidia website for some drivers, and consistently see X crash when I hit one of the fancy mouse-over menus at their site. I was a big Linux fan for a while (and I still am, to a point) but with seeing all the new and wonderful holes in the OS everyday, coupled with the greatly reduced tools (I missed Office XP and VS.NET, and no, OpenOffice.org is *NOT* a suitable replacement) it was only useful as a utility OS.

[nebulus 0]

Quote:

Or, just simply move files off one-by-one as desired since the vast majority of filesystems available for Linux do not have very good permissions management available.

And what filesystems would it be?

Quote:

It's bad enough that Open Source has been shown to have flaws in the concept when people can imbed worms into the source and make that available (...)

Technically speaking, M$ can do the same thing without you knowing about it..
Besides, if their products are secure, why they offer no guarantee, and their software is not available for any inspections?
Plus, since Windows is closed source there is really no way for users to fix or diagnose any of the security compromises. New technologies are just rushed into the product even before they have been properly designed or fully implemented. This isn't really helping to secure the OS.

Quote:

(...) or when the most common text editor (vi) has a vulnerability that would allow someone to take over a machine.

Had. ;(

Quote:

Not to mention the "stability" of Linux-based desktop when I am running Gentoo, X, Fluxbox, and Mozilla, go to the nVidia website for some drivers, and consistently see X crash when I hit one of the fancy mouse-over menus at their site.

I'm sorry to hear this.. I've been on nVidia's website and yes, mouse-over menus were looking nasty, but everything worked just fine.. no crashes whatsoever. And besides, this is nVidia's fault, since their pages do not follow W3C standard. ;(

Quote:

I was a big Linux fan for a while (and I still am, to a point) but with seeing all the new and wonderful holes in the OS everyday, coupled with the greatly reduced tools (I missed Office XP and VS.NET, and no, OpenOffice.org is *NOT* a suitable replacement) it was only useful as a utility OS.

"Wonderful" holes would perhaps be on every known system.. But due to the open source nature, it's much easier to find them on Linux than on Windows.

Office XP isn't a saint either... let me remind you that there're about 8000 macro viruses.. and I'm more than sure that you won't find then on Linux.

Phew.. that said... just for the record, I'm not a Windows hater or Linux lover.. Both of the systems have their advantages and disadvantages..

[clutch 1]

Was gonna do a bunch of quotes for the responses, but that's too much effort. In any case...

 

1. Ext2, Ext3, ReiserFS, etc. can all easily be chrooted into unless you are using some sort of extended ACL control, which almost nobody is. I have done this over and over again to repair screwball installs for others by simply booting off of a CD-based distro, or using a core installer off of a CD such as Gentoo. While you may need a Linux disk to reset an admin password on a Windows box, you don't even need that for a typical Linux install. Just replace a few "choice" files and you're done. Hell, you can even be network enabled with some of these boot CDs and move your files wherever you want. Nice and handy indeed. With the new Gentoo disk, you can have someone boot a system off with it, and start the SSH server. Now, you have a nice and secure means to work with a system over the network and not need to be in the same room anymore.

 

2. I would rather have the source code contained for security measures than have the whole world find holes or simply imbed their own BS into it. Also, out of all the apps that I have ever used in Linux (compiled for about 90% of them), I have only really "used" the source code twice. Once I used it to hack the nvidia drivers for suspend use in a laptop (although most of the driver is still closed source, this is more of a config thing) and once to bypass a function that disabled UDMA on my ASUS P4PE (which wasn't an issue in Windows, and was ready to go with proper drivers out of the gate while the Linux community with all the "eyes" on the code could only come up with a hack to disable one thing to enable another). Neither of these issues were of consequence in Windows, but hurray for Open Source, right? ;( Not to mention that many applications are being pimped as RPMs anyway, so most users aren't even bothering to compile these things. So, we can now have thousands of users with Linux boxes using precompiled binaries (Open Source not saving them here since compiling is such a "hassle" for them) from a compromised source. Hell, who needs an automated worm? Just attack a server running an out of date vi and change the source code and hosted binaries. That's a lot easier.

 

3. vi has had several issues from what I remember, and my point is that no *text editor* should be able to let someone take over an OS, period. Although a notepad exploit would be funny, it's unlikely.

 

4. Yeah, so nVidia doesn't follow the W3C, but then again how many sites do? In addition, the web browser was *still* able to crash X and all the apps that were dependent on it. This is the point. People bash IE and yell about exploits for it, when Mozilla can crash the OS with just a screwed up menu, and a text editor (yes, I know it can do more, but it is on almost *every* distro of *NIX there is) can be used to take over the OS.

 

5. I wasn't talking about security of Office XP, but then again that's what I use a virus scanner for, and I don't enable macro usage unless I know the source (default setup anyway). I liked the ease of use of the application, as opposed to the clunky behavior of OpenOffice.org. This, coupled with the odd font rendering in it while using Fluxbox or KDE at 1600x1200 on my laptop, it just wasn't worth wasting my time with anymore.

 

However, I am not a Linux basher as I was a big Gentoo geek for a while. I love Fluxbox, and miss it dearly. But when someone extols the virtues of Linux without sharing the full story, I take issue with it. A Windows system can be *heavily* secured using the right templates that measures that are freely available. This can be done for pretty much any OS, but any OS has weaknesses. At work, we take security pretty seriously (Sr Systems Engineer for the Department of the Army, Active Directory Project) and we have a whole bunch of things applications have to get through before use in the Enterprise. While MS products have security holes, they can be addressed before use in production, and in many cases can be secured before an exploit is even discovered (such as the hi-sec template for IIS, or URLScan for IIS, with CodeRed). In many cases, we can't use Linux because it isn't FIPS compliant, unless we are using Red Hat stuff (ick) since no other distro either has the funds or the confidence to get it tested. Oh well.

[nebulus 0]

I think I'll skip quoting too

 

1) Ok, I'm lost here.. Are we talking about home or small-business solutions?

Anyway, this would only work at home.. and I think BIOS password would do the trick.. Of course, if someone really wants to be paranoid, there's always an encypted filesystem that could be used as an way out. But honestly, is it really necessary?

 

2) You can use MD5 checksums to verify the packages you download. ;(

And don't you love that you have the freedom to choose between pre-compiled RPMs, etc. and source code?

Yeah, I agree.. drivers can be a PIA, but I blame this on manufacturers.

 

3) I think you've mentioned before that it wasn't just a text editor.. and besides, comparing it to notepad is like comparing Porsche to an old Lada. Anyhow, I won't be lying if I say that all current distros are running version(s) where this security issue was resolved.

 

4) In general, any sites created with anything else than FrontPage are ~85-100% compatible with the standard. It doesn't take too much to follow the standard!!

 

When it comes to Mozilla crashing the OS.. well, from what I've read, there's most definitly something wrong with your setup. I've been using Linux for about 3 years now, and the only time X crashed on me was on RedHat 6.something.. about 2 years ago at the university campus.

 

5) That's exactly my point.. what's Micoro$oft done for you? I mean, they created a new technology without even thinking about the security.. I remember when Outlook Express first came out, it took two versions just to realize that maybe it wasn't such a good idea to enable some things by default after all.

[clutch 1]

1. Not just home, but these can be easily circumvented. Again, like any OS, it relies on the ability to physically secure the server. So all OS vendors rely on this same premise and can be compromised in a similar manner (no OS is all that better than any other). That's the point.

 

2. While you *could* do that, many don't. Also, there's no guarantee that the MD5 wasn't generated to match the new binary. If someone can generate an original, another can be generated for a fake. Also, drivers can suck, but for the most part only if you don't know what you are doing. Plus, having so many distros and kernel options to consider can't make it much easier for the manufacturers.

 

3. vi is on everything UNIX, and therefore compromised every UNIX installation in use. I still consider that a *big* deal since it isn't a core function of the OS (like IE, remember the browser is the OS and the OS is the browser ), but rather an added (and needed) application.

 

4. From what I remember, Flash isn't part of a standard, yet tons of pages use it (and is a major PIA for many *NIX/BSD users). While it doesn't take much to follow the simple standards, very few will properly pass either the HTML or CSS validate from the w3c (check out www.ntcompatible.com, sorry Philipp ). In addition, many browsers can't properly process all the CSS2 functions, and many web desingers are still using tables to align graphics. But this can be reserved for a separate debate . My point is that a stupid application could repeatedly crash X, and this happened on all my installations and that of others.

 

As for using Linux, I have been working with it for about 4 years before I took a break, so I am somewhat familiar with it myself .

 

5. Actually, I get many free utilities from MS (even before working with the Army) for performance tuning and security. But here's a better question: How long did it take for the UNIX guys to realize that shipping out user accounts and passwords in plain text was a bad idea?

[nebulus 0]

Quote:

While you *could* do that, many don't. Also, there's no guarantee that the MD5 wasn't generated to match the new binary. If someone can generate an original, another can be generated for a fake.

How difficult can it be?.. md5sum downloaded_package_name... And there's absolutely no problem to generate new MD5 checksums.. it's just another line added to the script.
You do download from trusted sources, right?? Unless files have different sizes, there's no way MD5s wouldn't be the same.

Quote:

From what I remember, Flash isn't part of a standard, yet tons of pages use it (and is a major PIA for many *NIX/BSD users). While it doesn't take much to follow the simple standards, very few will properly pass either the HTML or CSS validate from the w3c (check out www.ntcompatible.com, sorry Philipp ). In addition, many browsers can't properly process all the CSS2 functions, and many web desingers are still using tables to align graphics. But this can be reserved for a separate debate . My point is that a stupid application could repeatedly crash X, and this happened on all my installations and that of others.

I was referring to HTML/XHTML standard(s).. And of course, Flash is not a part of it.. Anyway, I don't see any problem here.. Just go to macromedia.com and download needed libraries. So, flash works just fine on Linux.

As for CSS2.. yes, there're browsers that do not fully support it; btw, Internet Explorer is one of them. But there're also many other browsers that do; Mozilla, MozillaFirebird and Opera are among them.

You should really try to trace the problem.. I've been using several distros for the past 3 years and X crashed on me just once.. and it wasn't Mozilla that caused X to crash..

[clutch 1]

Mostly, those points were to serve as a counterpoint for what you were saying. The MD5 checksums *could* be generated for the altered binaries and then uploaded to a compromised site, at which point you would easily validate the compromised file since the MD5 was made for it. As for the HTML response, you were stating that is was so easy to follow the standards, yet I was showing that just about any site picked online doesn't follow them (and getting Flash to run requires libraries that you will probably need, which require something else and blah blah blah - thank God for "apt" and "emerge" ). Now, for tracing the problem, a later release of Mozilla did address the issue, but my point was that it shouldn't have happened to begin with. Since the browser is not part of X (like IE is part of the shell in Windows) there was no valid reason for it to be compromised like that.

[nebulus 0]

Well.. MD5s are usually placed on a different server than binaries or the source. But yes, it could be an issue.. As for HTML.. it drives me crazy, because it doesn't really require to much effort.. Phew.. people are so ignorant sometimes..

[clutch 1]

Quote:

As for HTML.. it drives me crazy, because it doesn't really require to much effort.. Phew.. people are so ignorant sometimes..

Yeah, I know. It would seem that these WYSIWYG editors would have the simplest HTML licked by now, but it doesn't. I really like using VS.NET for ASP.NET stuff, and yet it will still not do the simplest things like close off tags for bullets and such (but then again, GoLive and Dreamweaver didn't either a while ago, I don't know about now). It just seems like it would be easy to take care of, but it must be easier to make browsers work around sloppy code... ;(