Re: [linuxiran] www.pclinuxonline.com hacked by Iranians, what a shame!!

[Aryan Ameri]

On Thursday 08 April 2004 04:58, Arash Partow wrote:
> I'll start by adducing the following:
> "Tis better to remain silent and be thought a fool than to speak and
> remove all doubt"
Arash,

first of all, let me clear this:
Though your emails are always harsh, and you always sound like a 
grandfather advicing his 3 year old son on what to do and what not to 
do, I view your critisism as cunstructive, and look forward to reading 
your messages and learning from them, even though sometime as I said, 
you are truly harsh. I value your advice Arash, and I have learnt great 
many things from you to know that I should be grateful to you, but I 
just want to tell you this: reading your emails, and trying to stay 
calm is difficult; specially when you use such an authoritive tone that 
implies "what the hell do you know? I am the person with the knowledge 
and know-how here". I never doubt your technical abilities, but my 
advice as a young pupil to you is, try to use a calmer tone when 
talking to someone who is not as knowledgable as you in a specific 
subject. As I said, reading your emails and trying to keep a straight 
face are damn hard for me, really hard...

>
> 1.) I did not in any way imply, assert or assume a "distro/OS war",
>      don't be so defensive try and UNDERSTAND what people are saying,
> try and comprehend the message and the context of the message that is
> being conveyed and don't just say things for the sake of just saying
> something.


I said this because I thought that the issue is related to PHP-Nuke, and 
I thought running PHP-Nuke on any OS would mean dealing with same 
vulnerabilities, I didn't know that the BSDs had done something 
specific to address the problem. My mistake.


> 2.) I believe in choosing the right tool for the job, the RIGHT tool
>      the job, not the culturally accepted one, not the one i am
> passionate about, not the one my girlfriend/wife etc tells me is
> good, not the one my religious or pop icon (whichever takes your
> fancy) tells me is good, not the one i read in an article on some
> popular site, I choose the right tool for the job based on what my
> logic and past experiences and current requirements deem to be the
> right tool for the job. Which job ? the job I have in front of me,
> what tool? the right tool. repeat after me the right tool for the
> job, the right tool for the right job.  keep on repeating that to
> yourself until it really sinks in, as an engineer this is one
> fundamental principles you should work towards. There will always be
> a finite set of solutions which can be used to solve a problem, but
> out of this finite set there is a much smaller subset which are
> solutions which solve the problem fully, adequately and properly.

I do try to choose the right tool for the job, but I also take into 
account other considerations. Who is providing my tool? What will be 
the consequences of me using this tool? Will I be stuck with the same 
vendor to provide me with the tool, or am I free to choose an 
alternative vendor in future, without losing much productivity. In 
other words, is this specific tool, a proprietary lock-in, or does is 
follow some kind of an accepted standard?

Just because something is the right tool for the job at a specific time, 
doesn't mean that I should use it. I also do consider it's future 
viability. I am not sure I would rely on BSD for a long-term project. I 
don't agree with slashdot saying "BSD is dying"; no BSD is not dying 
and it will be around here for the foreseeable future, but it has 
certainly lost commercial support, and hence, I don't really feel 
comfortable using something that has no major backer.

I have nothing against the BSDs Arash. I am a great admirer of them. For 
the record I have FreeBSD 5.1 installed on my machine, and I frequently 
use it as a workstation OS. I also have used and continue to use 
Darwin, which is another BSD-based kernel. I don't have any experience 
with netbsd and openbsd, but I have enough knowledge about BSDs that I 
am sure I will feel right at home, if/when I try to use them.

Having said this, my main complain about using BSDs as a server OS, 
specially in a comercial environment, is the lack of vendor and ISV 
support for it. Please enlighten me, how do you plan to run Oracle or 
IBM DB2 on your net/open/free bsd server? What about all those other 
prorams produced by Sybase, ComputerAssociates, PeopleSoft, ... and 
many other independent SVs, that support Linux, but not any version of 
BSD? There even isn't a native Java SDK for the BSDs. Same strory holds 
for IHVs. openbsd and freebsd (I don't know about netbsd) currently do 
not support the AMD64 architecture, something that Linux has supported 
for so long, and even Windows is going to support in near future. What 
about the IBM PPC 970 processor (aka G5). Again you will see that Linux 
supports this platform, cause hardware manufacturers are now eager to 
have Linux support on their platform. But when was the last time you 
heard IBM, Sun, HP, etc talk about BSD support on their platforms? 
IIRC, the netbsd team had a hard job trying to port netbsd to 
UltraSparc IV, cause Sun didn't supply them with adequate 
documentation. The same documentation that they had readily made 
available to the Linux developers (under NDA). This might not be a fair 
game, but that's the game that is currently being played in the 
industry.

Linux (good or bad) is now a buzzword. Any technicaly illiterate manager 
has now heard of it, and with the backing of big vendors such as IBM 
and HP, it has become a viable alternative in the computing industry. 
Companies are now switching in hoards from proprietary hardware 
platforms using Unix, to cheap x86 processors running Linux. I know, 
the x86 platform is a horrible sh** but, who cares? right? 

You have been working in the industry for so long, so I shouldn't 
probably tell you this. But when advicing a company on using a 
software/architecture, you should take into account manager's 
familiarity with that software/platform. Managers and decision-makers 
right now, know Linux, and you are able to find it in nearly every 
Fortune 500 company. Can you say the same about BSD?


And also there is the problem with support. Which well-known established 
company do you know that offers 24/7 risk-free international support 
for any BSD? Sorry, I know that source is available and I can hack/
patch it, but wall street needs someone, some company, to be behind a 
product and support it. That's the way business works Arash. Can't you 
just see why BSDs are not a viable alternative as a sevre OS in the 
industry?

I am not that knowledgable to know if BSDs are more technicaly advanced 
that Linux or not. They might be in certain respcts, and I assume that 
Linux is probably ahead of the game in a couple of respects. While no 
one claims that the Linux kernel has a nice design, everybody agrees 
that at least Linux is progressing really fast. It now has four 
industry standard journaling file systems, where BSDs have none. The 
2.6 kernel has made great strides in SMP and scheduling sections, and I 
bet Linux 2.6 is more scaleable than any BSD kernel. It can easily use 
32 processors, and SGI a while ago demonstrated a machine using 512 
processors, running Linux. Last time I checked, everybody was saing 
"yeah, you can use FreeBSD fine on a 4 processor machine, but don't go 
anywhere upper than that". I don't think netbsd and openbsd are much 
different in this regard. Linux now has support for hot swapable hard 
disks (on architectures that support it) and support for hot-swapable 
CPU is also on it's way. Again, something that all BSDs are lacking.

Putting the technical arguments aside, as I said, for good or bad, BSDs 
lost the publicity war in the 90s. There are thousands of reasons why 
"Linux is the right tool for the job, and BSD isn't". How are you going 
to respond when your client asks for Oracle support on the server? Are 
you going to tell them "well you know, you shouldn't be really using 
Orale, cause Oracle doesn't support openbsd and openbsd uses libSafe, 
and that is what really matters"?

Sorry, you just lost your client.

> what does this all mean? it means don't take the cheap path or the
> easiest path, don't take the path which makes you more comfortable,
> take the path which gets the job done properly, take the path which
> gets the job done right, take the path which does not barely get the
> job right, but fully without any exceptions gets the job done right
> AND properly. and if it takes a bit more work or resources or time,
> so what? the final result is important, not the elegance of the
> process.
>
>
> I wasn't advocating we should use openbsd for desktop workstations or
> that we should replace every system with an openbsd version, all I
> was saying was for server end applications openbsd is the RIGHT tool
> for the job, linux is a tool that currently gets the job done, but
> its not the right tool, nor does it get the job done fully. openbsd
> will get the job done right, fully without any exceptions.

See the exceptions above, on why openbsd doesn't get the job done.

> coming
> back to the rule, the right tool for the job. openbsd should be used
> for guarding clusters of less secure servers be them running linux or
> windows etc..
>
> I would never advocate a normal user (ie: accountant secretary,
> student etc...) to use openbsd as a workstation OS. openbsd's current
> specifications aren't meant for such uses, even though they can be,
> even though I use it and many people that I know use it as work
> stations.

I use Linux as my main OS and I am a devoted advocate of it. But even I, 
don't think Linux is the right choice for the desktop, at least not for 
many people and in many situatoins. It might be ready for the desktop 
in a few years, but it's not there yet. On the other hand, I now 
believe Linux is ready for the prime time on the server. From small 
severs (i.e web server, mail server, etc) to middle level servers. I 
can even buy the argument that the newer versions are even capable of 
running mission critical systems (banking sector, airline industry, 
etc). I however don't think "BSD is the right tool for this job" 
because of the above reasons.

Now, here is my question. What makes you believe that Linux might be a 
good choice for the desktop/workstation while openbsd is not? What 
difference do you think the user will face when switching between these 
platforms? There answer is nothing. Cause nearly all the user-space 
applications are the same. They use the same compiler, they run the 
same X, the same window manager, the same browser, the same editor, 
etc. I don't really underestand why you keep on saying that BSD is not 
a good choice for the desktop (and you imply that Linux is), while as 
far as I can see, for a user they make no difference. I can change my 
mother's OS from Debian GNU/Linux to freebsd, in an instance, and she 
won't even notice the difference, cause she will keep on using the same 
programs that she does now, namely KMial, Konqueror, Kopete, ... I bet 
that she even won't see or know that her OS is changed. BSDs are as 
good as any version of Linux for the desktop/workstation. Everybody is 
just talking about Linux, cause well, it's the buzz now.

> now lets begin shooting down some of things you said:
>  > C'mmon, let's not turn this in to a distro/OS war. I have nothing
>  > against *BSDs, I certainly applaud the work of the OpenBSD team,
>  > and their apprach to security, But this has nothing to do with the
>  > OS.
>
> totally incorrect. responsibility for security falls at each level of
> computing, user,application,os and hardware. each layer has to do its
> part. ESPECIALLY the OS since it can't guarantee a competent user or
> a competent application programmer.
>
> The problems with PHP-Nuke relate back to stack smashing. In short
> dangerous string processing functions in stdio and stdlib are called
> by the interpreter which are in turn being called by the php code.
> simple things like strlen, strcmp etc...
>
> openbsd fixed these problem by using implementations of those
> functions from a library called libSafe written by Arash Baratloo.
> They are the key elements in openbsd and now also in netbsd and
> freebsd which protect the OSs from such stack smashing. Again a
> competent programmer is needed to see the need for using these
> methods, just like a competent programmer is needed when it comes to
> deciding why one should use reentrant versions of a method rather
> than a non-reentrant version when it comes to concurrent programming,
> just like there needs to be a competent person when deciding what OS
> should be used for what task, and not just someone advocating the use
> of something just for the sake of using it not really knowing why
> they advocate it other than the fact that they seem to have spent a
> lot of time advocating it and wouldn't like to see their efforts go
> to waste.

keep bashing and bashing and destroying your oppononts personality, 
without specifying anything specific. 

Contrary to what you think Arash, I am not a Linux zealot. I don't 
advocate it's use everywhere. I have been advicing nearly all my 
friends to buy a Mac as their desktop/laptop computer, and during the 
last 6 months, two of them actualy listened to my advice, and now keep 
thanking me for the choice that I recommended to them.

I am not even an OpenSource fanboy.  I was involved in this project, 
making a database of available houses in the city, so that students in 
the university can easily find the right accomodatoin for themselves. 
Having finished the DBMS course last semester, I was given the job of 
choosing and setting up the database server, and I even didn't hesitate 
in selecting Oracle. (MySQL sucks, PostgreSQL has the potential, but 
isn't still there yet). 

I actualy do believe in choosing the right tool for the right job. And 
the reason that I advocate Linux, is because it IS the right tool for 
the job, most of the times. And because I do care about choosing the 
right tool, I am not that comfortable with BSD as the server OS, cause 
I don't see it as a viable altenative for many tasks. 

> Coming back to the real topic, stack smashing isn't the only security
> problem that exists and thats why openbsd uses cryptographically
> strong RNGs to generate PIDs and any other identifiers used within
> the OS, thats why openbsd encrypts IPC between local processes, that
> why openbsd gives applications the ability to define what things they
> can and/or can't do (ie execute exec and system), many of the things
> above have already been implemented in freebsd and netbsd.

Nice to know these technicalities. Still doesn't resolve the problems 
that I mentioned above.

>  > There certainly are specialized versions of Linux that are very
>  > secure, like NASA's version.
>
> Again if you look at the blue print of implementations for the
> modification of linux in these distros you will see that all the
> "new" things are actually implementation of ideas which have already
> been implemented in openbsd. The main problem with linux security is
> one that resides in the kernel a lot has to be modified in the kernel
> before it can reach at point where one can say its secure enough to
> be a tool for consideration, thats not to say its not a good for
> multi- user environments ie: web-servers, it just means you need some
> kind of sand boxing around the server to protect it from the rest of
> the world.
>
>  > And I personally don't agree with many of Theo de Raadt's extreme
>  > ideas...
>
> which ideas?  what on earth could this man have said that you feel
> you need to object? all he is interested in is integrating new crypto
> technologies in openbsd, i can't see how your ideological paths could
> ever cross.
>
> which of his ideas are extreme? is implementing an open, transparent,
> publicly scrutable and secure environment extreme?

Oh! I thought everybody just knew that the guy is insane. You certainly 
haven't been on any OpenBSD mailing list. 

http://www.alternet.org/print.html?StoryID=16351

Or google his name. 

>  > Agreed, even cracking needs a certain level of knowledge. Breaking
>  > the DRM of a music format is for example, cracking. These are just
>  > script kiddies.
>
> Incorrect again the DRM of any media can be broken easily without any
> need for "specialized" knowledge by intercepting the decoded media as
> its being sent to the device be it audio, video or text. That is the
> biggest problem facing media player manufacturers be them hardware or
> software. There is NO way one can stop such hacking, other than to
> allow it to happen then later on determine who let the copy of the
> media loose through traitor-tracing (digital watermarking the media
> with customer IDs)

OK, nice. But still I call all of this, CRACKING. And I don't think it 
is wrong, and I think it falls under fair use in the copyright law 
(though DMCA might make it illegal).


> In fact there was an article several months ago about a group that
> was removing DRM from WMAs by intercepting the buffered sound stream
> as it was being sent to the sound card interface. This allowed them
> to resave the file with the same quality as it was sampled in the DRM
> protected WMA. 

They have cracked WMA, and RA so many times. Nothing new. Now everybody 
is trying to hack/crack Apple AAC, and the efforts haven't been 
fruitless.

>MS removed the API call from their offical APIs, but
> you can still intercept the data by masquerading as a sound card
> driver and receiving the rawdata then saving it as a WAV then
> converting to mp3 etc...


That will result in a bit of loss of quality. There is even a 3rd party 
program on Mac OS X (forgot the name), that auticamticaly does this. 
Play a file wit it, it just captures the output of soundcard, and turns 
it into raw WAV. However, this method menas a little loss of quality.

Anyway, how is this relevant?

> The problem here is that once the security flaw can be compromised
> automatically (ie: some guy discovers it and create a little app that
> exploits it, and the code for the exploit gets in the open) then
> simpletons gain access to it and go around wreaking havoc or attempt
> to wreak havoc.

True. However the guy which discovers the flaw, is a hacker/cracker. And 
as I said, I don't see how this is relevant to our conversation.

I already agreed with you, that those who just use a flaw in a CMS 
aren't really crackers, but just script kiddies. What part of my 
statement are you exactly complaining about?

>  > PHP-Nuke is desined with insecurity in mind :-)
>
> So what?

It was supposed to be humourus. Read that sign in the end of the 
statement? it's called smiley. There was no need for you to say 'so 
what?'.


>
>
>
> Regards


I am putting the ML again on CC, cause I don't think it is irrelevant 
for the ML.

>
>
> Arash

Cheers
Aryan
>
> __________________________________________________
> Be one who knows what they don't know,
> Instead of being one who knows not what they don't know,
> Thinking they know everything about all things.
> http://www.partow.net
>
> Aryan Ameri wrote:
>  > On Wednesday 07 April 2004 01:05, Arash Partow wrote:
>  >>A quick search on google for K-A(IRANIAN HACKERS) shows they've
>  >>done some other sites as well. This is probably another reason
>  >>why one should go to openbsd for server.
>  >
>  > C'mmon, let's not turn this in to a distro/OS war. I have nothing
>  > against *BSDs, I certainly applaud the work of the OpenBSD team,
>  > and their apprach to security, But this has nothing to do with the
>  > OS. There certainly are specialized versions of Linux that are
>  > very secure, like NASA's version.
>  >
>  >>In any case they are
>  >>not hackers or crackers they are just simple script kiddies
>  >>with too much time on their hands.
>  >
>  > Agreed, even cracking needs a certain level of knowledge. Breaking
>  > the DRM of a music format is for example, cracking. These are just
>  > script kiddies.
>  >
>  >>Noting some sites that have been hacked by them, the thing
>  >>in common with all these sites was php-nuke...
>  >
>  > PHP-Nuke is desined with insecurity in mind :-)

-- 
<!--  People can always be brought to the bidding of the leaders. That 
is easy. All you have to do is tell them they are being attacked, and 
denounce the pacifists for lack of patriotism, and exposing the country 
to greater danger."
-- Herman Goering -->

Aryan Ameri