Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Softpanorama Bulletin
Vol 16, No. 01 (January, 2004)

Bulletin 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Softpanorama Laws of Computer Security

Dr. Nikolai Bezroukov

Version 0.8

 

Never underestimate the power of human stupidity

Anonymous

Computer Security is an anthropomorphic deity of a new messianic high demand cult. It is synonym of goodness, happiness and light; a mystic force which provides a beautiful eternal harmony of all things computable. The main recruitment base of the cult are system administrators.

A secure server is a cosmic harbinger of charismatic power; an exorcistic poltergeist that preserves mental health, cures headache, allergy, alcoholism, depression, and deters aging. It is a nirvana for both young and old system administrators; an enviable paragon of all imaginable idealistic virtues; an apocalyptic voice that answers the question: "What is truth?".

Finally, a secure computer network is the bright hope of all mankind, a glimpse of things to come with the help of Homeland Security, and an inscrutable enigma that may well decide whether this nation, or any other nation, conceived in Liberty, can endure. In the USA this notion plays a role similar to the second coming of Christ in some high demand cults.

Abstract

Computer security is a very loaded term. One aspect of security is so called hardening, which is currently is one of the most fashionable topics. The latter is essentially an attempt to convert a general purpose server into an appliance to improve the level of protection from external as well as internal threats, including the "fifth column" problem; there is no free lunch and hardening generally makes server less users/developers friendly. Given that complexity is the biggest single enemy of security, it's only logical to remove everything that is not essential for the task in hand, users be damned ;-) 

Unix hardening in general can be viewed as implementation of the Principle of Least Privilege. For example it is difficult to harden systems with GUI desktops like Gnome of KDE. So it server is interned to be more secure, it is prudent to configure X subsystem for a manual start, so that in production mode X usually does not run. Same is true for other similar daemons. 

But the key problem with hardening is to know where to stop not how to make the system more secure. And the key principle is "not too much zeal". Unfortunately   corporate security departments often discard this vital principle and use hardening for justification of their existence ;-).

Although few, if any, fundamentally new Unix vulnerabilities are evident today, most today's Unixes do not include advanced security techniques, let alone the enhancements identified as essential to fight them. Solaris is one of the better Unixes in this respect and it does include some interesting features like , roles and, especially, zones and privileges management (in Solaris 10+). It also includes advanced file attributes which is a mixed blessing.

The author argues that deep hardening is essentially a process of conversion of general purpose OS into a specialized OS and that's why for organizations without much local talent it might be better to use appliances.

There are also some inherent limitations in the level of security achievable in any given organization. The author formulated three laws of Computer Security:

  1. In a long run the level of security of any large enterprise Unix environment can not be significantly different from the average level of qualification of system administrators responsible for this environment...
  2. If a large discrepancy between the level of qualification of system administrators and the level of Computer Security of the system or network exists, the main trend is toward restoring equilibrium at some, not so distant, point...
  3. In a large corporate environment incompetent people implementing security solutions are a bigger problem that most OS security weaknesses because users tend to react on actions that decrease user-friendliness of the system by actions that the tend to restore it. The real computer security skills presuppose not only the knowledge of what should be done, but the knowledge were to stop in order not to cause excessive backlash. The latter skills presuppose understanding of architecture of the environment and are completely lacking in wanna-be security specialists. If incompetents happen to be in charge of security one should expect that they will implement the most destructive for corporate IT security measures dictated by the current fashion, driven by excessive zeal and desire to survive. Measures that backfire and due to use counteractions create security holes bigger then they are trying to patch.

This article is an attempt of skeptic treatment of this theme and is a modest attempt to fight "security fascism": counterproductive restrictions that complicate user and system administrator lives, while adding nothing of even diminishing security. There is almost no articles on the WEB that are critical or even slightly skeptical about security tools in general and Computer Security tools in particular. This article tries to fill the gap.

Introduction

Security is like an erection: with proper drugs
it can always be harder and longer lasting but it never lasts forever.
Also that doesn't necessarily imply your initial impotence.
Slightly modified Slashdot post (#10252795)

Not too much zeal!
Charles-Maurice de Talleyrand
advice to new diplomats

Computer security currently is one of the most fashionable topics. Important part of computer security is related to hardening: making a system or network of computers less vulnerable to some broadly defined class of attacks. It is essentially an attempt to convert a general purpose server into a less flexible (and less useful) appliance. There is no free lunch and in order to improve the level of protection from external as well as internal threats ( including the "fifth column" problem) means to make the server less user/developers friendly.

Given that complexity is the biggest single enemy of security, it's only logical to remove everything that is not essential for the task in hand, users be damned ;-). Unix vulnerabilities are not new and are usually just a variations of some classic theme. Many of them are connected with the usage of low level language (C) for system programming. For example buffer overflows is a classic example of this category.

Most of classic Unix vulnerabilities were discovered approximately 40 years (Let's say at the time of writing of Morris worm) and for the last 40 years there were proposed and implemented various features that help to fight them. Modern Unixes usually contain some additional security mechanisms that allow fighting them. There are even some improvements in C compilers that allow to generate less deterministic code (and thus make buffer overflow more difficult). Even classic security problem of too powerful root and underpowered regular accounts was solved in Solaris -- one of the better Unixes in this respect. Solaris does include some interesting features like advanced file attributes, roles and, especially, zones and privileges management (in Solaris 10+). This mechanism allows to alienate the problem of all-powerful root, but the problem is that classic root/regular user mode of operation, this mentality is so ingrained now in Unix system administrators that most often Solaris is used like "deficient" Unix that does not has those capabilities. So here we might start to understand that in some way with operating system of complexity of Unix human factor might be more important then real or imaginable deficiencies of the OS.

Similar situation exists in Linux. Various flavor of Linux has additional security mechanisms such as AppArmor in suse, Ubuntu and friends, SELinux in Red Hat, Oracle Linux, CentOS and friends. But few administrators uses them because they a little bit (AppArmor) or substantially (SELinux) complicate troubleshooting and make it more difficult to add services to the system. Situation reminds old proverb: you can take horse to the water but you can't force it drink.

Similar situation exists with usage of firewall. Among enterprise Linux distributions Red Hat instances has substantial fraction of cases with enabled firewall. All other flavors of Linux typically are used with firewall disabled, at least in enterprise environment (paradoxically Linux desktops typically have firewall enabled -- may because it is enabled by default and few user know how to disable it :-). Even Red Hat in many large corporations is used with firewall disabled, not because they want to weaken security but because sysadmins feels less comfortable with firewall enabled environment.

Moreover in all modern Unixes TCP wrapper are deployed by default (in Linux they are built-in in xinetd daemon and many standalone services such as Sendmail, postfix, vsftpd, etc). They are closer to application level firewall then iptables, easier to configure and permit doing much more then regular firewall. For example they can prohibit connections from IPs that are not resolvable by DNS (albeit only for TCP, not UDP). They are also much more efficient as they affect only TCP handshake. But probably less then 10% of sysadmins who uses firewall also use TCP wrappers. This is another cane of complexity that is affecting security.

While we can argue to what extent those observation reflect reality one thing is certain. The weakest link is not always the modern Unix or modern applications (although they both still have problems). It's he qualification of system administrator and users who have access to root that is critical factor in modern Unix security.

This article is an attempt to emphasize human factor in Unix security as well as a modest attempt to fight "security fascism": counterproductive restrictions from clueless "security specialists" which just complicate user and system administrator lives, while adding nothing of even diminishing the level of security. There is almost no articles on the WEB that are critical or even slightly skeptical about security honchos and security tools in general. Somehow it is naively assumed that hardening tools available are good and that their application does improve security.

It's important to understand that you should not take anything for granted, especially in security. If you are confused by the stream of software, hardware, and services hanging their claim to fame on better security, please be aware that security is probably the second most promising IT field for snake-oil salesmen after (or may be even before) software development methodologies ;-) We're all for better security, but often "security" is used like a universal door-opening key by yet another variety of "ambulance chasing lawyers" to force on the customers useless or even harmful product that trivialize the really complex issues involved. "Mistrust first impulses" this advice of Talleyrandis especially applicable to security.

Softpanorama laws of security

Based on this understanding of the importance of human factor in computer security in general unix security the author formulated the following three laws of computer security:

  1. In a long run the level of security of any large enterprise Unix environment can not be significantly different from the average level of qualification of system administrators responsible for this environment...
  2. If a large discrepancy between the level of qualification of system administrators and the level of Computer Security of the system or network exists, the main trend is toward restoring equilibrium at some, not so distant, point...
  3. In a large corporate environment incompetent people implementing security solutions are a bigger problem that most OS security weaknesses because users tend to react on actions that decrease user-friendliness of the system by actions that the tend to restore it. The real computer security skills presuppose not only the knowledge of what should be done, but the knowledge were to stop in order not to cause excessive backlash. The latter skills presuppose understanding of architecture of the environment and are completely lacking in wanna-be security specialists. If incompetents happen to be in charge of security one should expect that they will implement the most destructive for corporate IT security measures dictated by the current fashion, driven by excessive zeal and desire to survive. Measures that backfire and due to use counteractions create security holes bigger then they are trying to patch.

The first law is connected to the fact that the security is always as strong as the weakest link and most often the weakest link is not the OS or application, but the security specialist in change of security and system administrator who is responsible for the particular server. In case measures severely limited server functionality are implemented, the natural tendency of users and administrators is to adopts set of behaviors which are directed toward restoration of the previous level of the user friendliness of the system. Often such behaviors are more dangerous then the real or fake threats that were stimulus for implementing the original "pseudo-security" measures in the first place.

Seldom one can see a critical evaluation that openly states that such-and-such security tool is a dinosaur that lost all practical value several years or even decades ago and such-and-such is badly written and has poor architecture. The reader often needs the ability to read between the lines and if the source is available, analyze the source to get the idea of "what is what".

Talking about different flavors of UNIX it's clear that they are not created equal: have a very high respect for OpenBSD approach and that's what we should probably try emulate in Solaris environment.

The author feels that there is still a shortage of good Solaris hardening tools, but also (and what is more important) a shortage of highly qualified Solaris administrators. Security is usually a battle on two fronts: you fight both an external enemy and an internal enemy at the same time. And the internal enemy is not only what is usually called "insiders." It is often sysadmins themselves (we met our enemy, it's us :-), especially those who reached or exceeded their level of incompetence (see Peter Principle for details).

There are a couple of decent existing tools for Solaris hardening (Titan, Jass, RQ-Kit) but all of them are still pretty raw and require an excellent knowledge of Solaris to be implemented properly. That actually might be a good thing: there is not and never will be "An Administering UNIX Security for Dummies". And in the age of outsourcing this is a good news for both highly qualified system administrators and, on the other side appliance makers and appliance market ;-)

More on Human Factor

IMHO the percentage of clueless or redundant people in corporate IT is usually correlates with the square of the company revenue in billons (government is a special case ;-). And it's this internal enemy that represents real "fifth column" in computer security, the problem that should not be underestimated. As Richard Forno aptly noted in one of his SecuryFocus columns "much of what constitutes the 'cyberterror threat' comes down to the poor management of systems critical to the security and viability of the United States."

An often overlooked fact is that Unix is too complex an OS to be administered by dummies. Idiots sysadmins ( I mean here an incompetent sysadmin, who is not interested in Unix and does not work on improving his/her level of understanding of the system (an official definition "...a cretin, morpohodite, or old COBOL programmer selected to be the system administrator by a committee of cretins, morphodites, and old COBOL programmers." :-) by themselves are the biggest security risk to the system they administer, IMHO much bigger risk than hackers...

I can even reformulate this idea as "Softpanorama First Law of Security":

The level of security of any Unix environment can not be significantly different from the level of qualification of system administrator(s) responsible for this environment...

And you can easily guess The Second Softpanorama Law of Security:

If a large discrepancy between the level of qualification of system administrator(s) and the level of hardening of the system exists, the main trend is toward restoring equilibrium at some, not so distant, point...

It is important not to underestimate the human factor while working to improve the security of your intranet:

That actually means that learning of Solaris as a (very interesting) OS is probably the first and most important task that needs to be addressed. Not installation and running of some fancy security tool (or two), but general level of understanding of Unix in general and Solaris in particular is the most critical security resource.

Only those, who really understand "what is what" in Unix in general and Solaris in particular can successfully minimize their systems and understand compromises that are always involved in disabling services, changing settings and permissions recommended by hardening tools. There is no free lunch and tighter security makes the system less and less usable which in real world translates into "everybody uses root" situation which in turn completely defeats the measures implemented. So finding a point where to stop is very important. Too much security can be counterproductive and very harmful. Please keep in mind there are sadistic sysadmins and security analysts who use security to torture users just to increase their social status.

Some tips

Here are several other things that I think are important in no particular order. We will call them tips.

  1. You should never trust anyone's advice or security tool advertisement without a lot of critical thinking. Consultants are often biased and blatantly incompetent: security professional services are often dumping grounds for people useless in other departments of an organization (thing about cleaning services recruitment problems). Vendor tools advertising is very often blatantly overstate the usefulness and understate negative side effects of a particular tool. Some of then are applicable to your environment, but some might be definitely counterproductive. You should not try to be holier than Pope (or try to apply a firewall hardening policy to an non-critical internal server :-). But the sad truth is that in a large corporate environment this is, unfortunately, an most easy and politically correct path. At the same time excessive security/hardening zeal is a very dangerous thing and it can easily put your company in such a disadvantage that any measures to improve IS will simply never work ;-). For example I suspect more servers were hosed by, say, misapplication or overzealous application of hardening scripts, say, Titan then hackers; I did it a couple of times myself ;-)
  2. Like for any book of recipes or guide to successful living you should know that most security advices are simplified or even wrong answers to complex questions and you should treat them as such. They might be naive (and this is the level of a lot of security papers ;-), and thus not be applicable to your particular situation or worse can be outdated, incorrect and even harmful.

    You should use tools that permit you to create your own hardening policy and you do need to understand what each script is doing while writing such a policy. Again, you should never accept and use a recommendation without thinking carefully and critically first! Too much (stupid) seal in security is more dangerous that any hacker. An idiot with the security initiative can paralyze the organization pretty quickly. Sometimes even sound recommendations can be not that sound in real-life environment ;-) For example if X is blocked by a firewall than the security gains from killing X environment are less and might not outweigh losses of productivity... Also in many DMZ situations with strict routing and switched segments the risk of eavesdropping is much less than other risks and SSH just adds additional complexity. Password protection policy is also non-trivial thing. See for example Slashdot The Psychology of Passwords. I would repeat it again: if somebody can steal your shadow file with encrypted passwords and you have more than a dozen of users, then most probably you are a toast anyway, so why to increase the level of hate toward security (and the number of helpdesk tickets).
  3. There is no substitute for real understanding of the OS and infrastructure. Security tools is just extension of your knowledge, not a substitute for it. The present level of development of hardening tools still is far from the "idiot-proof" level and with the complexity of tasks that they solve I doubt that they will mature to the level of "run and forget" in the foreseeable future. If you do not understand the tool and the reasons and consequences of the action of a critical modules of a hardening package you can destroy your system more effectively that any hacker. I know because I did it several times using Titan on Solaris ;-) Probably a lot more systems were destroyed by sysadmins that try to apply hardening scripts without bothering to understand what exactly they are doing that by hackers :-). Also Unix is an old OS and there are a lot of legacy staff in each distribution that presents a danger because of their obscurity. For example who is still using UUCP ? But the package is present in most Solaris installations I saw. And it is still a security danger as anybody who knows UUCP really well can attest.
  4. There is no substitute for real understanding of applications you are running. Most of the threats we're seeing today are attacks on applications. Even such traditional points of attacks often discussed/hardened on OS level despite the fact that DNS server, WEB server or FTP server or Telnet server are essentially applications. Hardening of applications is different from hardening OS (unless you can disable the application in question) and more complex (or to be precise less studies and more cumbersome). One of the most common types of attack is I personalization, where somebody first breaks into legitimate user account and then try to extend his access into other users accounts and steals as much information as possible via their network identity is usually performed on the application level. That's one of the most common attack that one should expect at the application layer (for example via fake email to the user with the request to confirm some data and fake form that mimic actual authentication form) and take measures to prevent it harden the applications (both application server and database server) against it. For example a nice and simple precaution would be a statement on the authentication page that in no case this or similar authentication form can arrive in a email.
  5. Working with vendors that try to sell you security products please remember about Technobabble

    If the vendor's description appears to be confusing nonsense, it may very well be so, even to an expert in the field. One sign of technobabble is a description which uses newly invented terms or trademarked terms without actually explaining how the system works. Technobabble is a good way to confuse a potential user and to mask the vendor's own lack of expertise.

    And consider this: if the marketing material isn't clear, why expect the instruction manual to be any better? Even the best product can be useless if it isn't applied properly. If you can't understand what a vendor is saying, you're probably better off finding something that makes more sense.

  6. The main enemy is within and often it's you ;-). The main problem is not a "uberhacker" breaking into your site (most hackers are much less technically sophisticated than it is assumed in the security literature and pray for easy targets; BTW that makes UltraSparc Solaris 10 much less vulnerable that Intel-based systems), but some stupid blunders on the part of sysadmin that makes site vulnerable to script kiddies and insiders. That means that checks need to be periodical and that security is a continuous (and rather boring) process much like cleaning the house. Also patches need to be applied of a regular basis and they often change permissions, RC scripts, etc from previously hardened state to the "natural" state. The means that periodically you need to perform "re-hardening" of the system
  7. Unix may be insecure, but applications are even less secure than Unix. Web server misconfigurations, vulnerable CGI scripts, PHP (which is a wonderful source of break-ins in modern environment), junk programs written by programmers who might be better choosing other occupation, blunders in writing complex applications like Websphere (where left hand does not know what the right hand is doing ;-) etc. are a large part of the security risk and need to be treated with due attention. This topic is covered elsewhere.
  8. It is important not to underestimate the human factor while working to improve the security of your DMZ or intranet:



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: October, 11, 2015