[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [linuxiran] www.pclinuxonline.com hacked by Iranians, what a shame!
From: |
Aryan Ameri |
Subject: |
Re: [linuxiran] www.pclinuxonline.com hacked by Iranians, what a shame!! |
Date: |
Thu, 8 Apr 2004 17:30:30 +0300 |
User-agent: |
KMail/1.5.3 |
On Thursday 08 April 2004 04:58, Arash Partow wrote:
> I'll start by adducing the following:
> "Tis better to remain silent and be thought a fool than to speak and
> remove all doubt"
Arash,
first of all, let me clear this:
Though your emails are always harsh, and you always sound like a
grandfather advicing his 3 year old son on what to do and what not to
do, I view your critisism as cunstructive, and look forward to reading
your messages and learning from them, even though sometime as I said,
you are truly harsh. I value your advice Arash, and I have learnt great
many things from you to know that I should be grateful to you, but I
just want to tell you this: reading your emails, and trying to stay
calm is difficult; specially when you use such an authoritive tone that
implies "what the hell do you know? I am the person with the knowledge
and know-how here". I never doubt your technical abilities, but my
advice as a young pupil to you is, try to use a calmer tone when
talking to someone who is not as knowledgable as you in a specific
subject. As I said, reading your emails and trying to keep a straight
face are damn hard for me, really hard...
>
> 1.) I did not in any way imply, assert or assume a "distro/OS war",
> don't be so defensive try and UNDERSTAND what people are saying,
> try and comprehend the message and the context of the message that is
> being conveyed and don't just say things for the sake of just saying
> something.
I said this because I thought that the issue is related to PHP-Nuke, and
I thought running PHP-Nuke on any OS would mean dealing with same
vulnerabilities, I didn't know that the BSDs had done something
specific to address the problem. My mistake.
> 2.) I believe in choosing the right tool for the job, the RIGHT tool
> the job, not the culturally accepted one, not the one i am
> passionate about, not the one my girlfriend/wife etc tells me is
> good, not the one my religious or pop icon (whichever takes your
> fancy) tells me is good, not the one i read in an article on some
> popular site, I choose the right tool for the job based on what my
> logic and past experiences and current requirements deem to be the
> right tool for the job. Which job ? the job I have in front of me,
> what tool? the right tool. repeat after me the right tool for the
> job, the right tool for the right job. keep on repeating that to
> yourself until it really sinks in, as an engineer this is one
> fundamental principles you should work towards. There will always be
> a finite set of solutions which can be used to solve a problem, but
> out of this finite set there is a much smaller subset which are
> solutions which solve the problem fully, adequately and properly.
I do try to choose the right tool for the job, but I also take into
account other considerations. Who is providing my tool? What will be
the consequences of me using this tool? Will I be stuck with the same
vendor to provide me with the tool, or am I free to choose an
alternative vendor in future, without losing much productivity. In
other words, is this specific tool, a proprietary lock-in, or does is
follow some kind of an accepted standard?
Just because something is the right tool for the job at a specific time,
doesn't mean that I should use it. I also do consider it's future
viability. I am not sure I would rely on BSD for a long-term project. I
don't agree with slashdot saying "BSD is dying"; no BSD is not dying
and it will be around here for the foreseeable future, but it has
certainly lost commercial support, and hence, I don't really feel
comfortable using something that has no major backer.
I have nothing against the BSDs Arash. I am a great admirer of them. For
the record I have FreeBSD 5.1 installed on my machine, and I frequently
use it as a workstation OS. I also have used and continue to use
Darwin, which is another BSD-based kernel. I don't have any experience
with netbsd and openbsd, but I have enough knowledge about BSDs that I
am sure I will feel right at home, if/when I try to use them.
Having said this, my main complain about using BSDs as a server OS,
specially in a comercial environment, is the lack of vendor and ISV
support for it. Please enlighten me, how do you plan to run Oracle or
IBM DB2 on your net/open/free bsd server? What about all those other
prorams produced by Sybase, ComputerAssociates, PeopleSoft, ... and
many other independent SVs, that support Linux, but not any version of
BSD? There even isn't a native Java SDK for the BSDs. Same strory holds
for IHVs. openbsd and freebsd (I don't know about netbsd) currently do
not support the AMD64 architecture, something that Linux has supported
for so long, and even Windows is going to support in near future. What
about the IBM PPC 970 processor (aka G5). Again you will see that Linux
supports this platform, cause hardware manufacturers are now eager to
have Linux support on their platform. But when was the last time you
heard IBM, Sun, HP, etc talk about BSD support on their platforms?
IIRC, the netbsd team had a hard job trying to port netbsd to
UltraSparc IV, cause Sun didn't supply them with adequate
documentation. The same documentation that they had readily made
available to the Linux developers (under NDA). This might not be a fair
game, but that's the game that is currently being played in the
industry.
Linux (good or bad) is now a buzzword. Any technicaly illiterate manager
has now heard of it, and with the backing of big vendors such as IBM
and HP, it has become a viable alternative in the computing industry.
Companies are now switching in hoards from proprietary hardware
platforms using Unix, to cheap x86 processors running Linux. I know,
the x86 platform is a horrible sh** but, who cares? right?
You have been working in the industry for so long, so I shouldn't
probably tell you this. But when advicing a company on using a
software/architecture, you should take into account manager's
familiarity with that software/platform. Managers and decision-makers
right now, know Linux, and you are able to find it in nearly every
Fortune 500 company. Can you say the same about BSD?
And also there is the problem with support. Which well-known established
company do you know that offers 24/7 risk-free international support
for any BSD? Sorry, I know that source is available and I can hack/
patch it, but wall street needs someone, some company, to be behind a
product and support it. That's the way business works Arash. Can't you
just see why BSDs are not a viable alternative as a sevre OS in the
industry?
I am not that knowledgable to know if BSDs are more technicaly advanced
that Linux or not. They might be in certain respcts, and I assume that
Linux is probably ahead of the game in a couple of respects. While no
one claims that the Linux kernel has a nice design, everybody agrees
that at least Linux is progressing really fast. It now has four
industry standard journaling file systems, where BSDs have none. The
2.6 kernel has made great strides in SMP and scheduling sections, and I
bet Linux 2.6 is more scaleable than any BSD kernel. It can easily use
32 processors, and SGI a while ago demonstrated a machine using 512
processors, running Linux. Last time I checked, everybody was saing
"yeah, you can use FreeBSD fine on a 4 processor machine, but don't go
anywhere upper than that". I don't think netbsd and openbsd are much
different in this regard. Linux now has support for hot swapable hard
disks (on architectures that support it) and support for hot-swapable
CPU is also on it's way. Again, something that all BSDs are lacking.
Putting the technical arguments aside, as I said, for good or bad, BSDs
lost the publicity war in the 90s. There are thousands of reasons why
"Linux is the right tool for the job, and BSD isn't". How are you going
to respond when your client asks for Oracle support on the server? Are
you going to tell them "well you know, you shouldn't be really using
Orale, cause Oracle doesn't support openbsd and openbsd uses libSafe,
and that is what really matters"?
Sorry, you just lost your client.
> what does this all mean? it means don't take the cheap path or the
> easiest path, don't take the path which makes you more comfortable,
> take the path which gets the job done properly, take the path which
> gets the job done right, take the path which does not barely get the
> job right, but fully without any exceptions gets the job done right
> AND properly. and if it takes a bit more work or resources or time,
> so what? the final result is important, not the elegance of the
> process.
>
>
> I wasn't advocating we should use openbsd for desktop workstations or
> that we should replace every system with an openbsd version, all I
> was saying was for server end applications openbsd is the RIGHT tool
> for the job, linux is a tool that currently gets the job done, but
> its not the right tool, nor does it get the job done fully. openbsd
> will get the job done right, fully without any exceptions.
See the exceptions above, on why openbsd doesn't get the job done.
> coming
> back to the rule, the right tool for the job. openbsd should be used
> for guarding clusters of less secure servers be them running linux or
> windows etc..
>
> I would never advocate a normal user (ie: accountant secretary,
> student etc...) to use openbsd as a workstation OS. openbsd's current
> specifications aren't meant for such uses, even though they can be,
> even though I use it and many people that I know use it as work
> stations.
I use Linux as my main OS and I am a devoted advocate of it. But even I,
don't think Linux is the right choice for the desktop, at least not for
many people and in many situatoins. It might be ready for the desktop
in a few years, but it's not there yet. On the other hand, I now
believe Linux is ready for the prime time on the server. From small
severs (i.e web server, mail server, etc) to middle level servers. I
can even buy the argument that the newer versions are even capable of
running mission critical systems (banking sector, airline industry,
etc). I however don't think "BSD is the right tool for this job"
because of the above reasons.
Now, here is my question. What makes you believe that Linux might be a
good choice for the desktop/workstation while openbsd is not? What
difference do you think the user will face when switching between these
platforms? There answer is nothing. Cause nearly all the user-space
applications are the same. They use the same compiler, they run the
same X, the same window manager, the same browser, the same editor,
etc. I don't really underestand why you keep on saying that BSD is not
a good choice for the desktop (and you imply that Linux is), while as
far as I can see, for a user they make no difference. I can change my
mother's OS from Debian GNU/Linux to freebsd, in an instance, and she
won't even notice the difference, cause she will keep on using the same
programs that she does now, namely KMial, Konqueror, Kopete, ... I bet
that she even won't see or know that her OS is changed. BSDs are as
good as any version of Linux for the desktop/workstation. Everybody is
just talking about Linux, cause well, it's the buzz now.
> now lets begin shooting down some of things you said:
> > C'mmon, let's not turn this in to a distro/OS war. I have nothing
> > against *BSDs, I certainly applaud the work of the OpenBSD team,
> > and their apprach to security, But this has nothing to do with the
> > OS.
>
> totally incorrect. responsibility for security falls at each level of
> computing, user,application,os and hardware. each layer has to do its
> part. ESPECIALLY the OS since it can't guarantee a competent user or
> a competent application programmer.
>
> The problems with PHP-Nuke relate back to stack smashing. In short
> dangerous string processing functions in stdio and stdlib are called
> by the interpreter which are in turn being called by the php code.
> simple things like strlen, strcmp etc...
>
> openbsd fixed these problem by using implementations of those
> functions from a library called libSafe written by Arash Baratloo.
> They are the key elements in openbsd and now also in netbsd and
> freebsd which protect the OSs from such stack smashing. Again a
> competent programmer is needed to see the need for using these
> methods, just like a competent programmer is needed when it comes to
> deciding why one should use reentrant versions of a method rather
> than a non-reentrant version when it comes to concurrent programming,
> just like there needs to be a competent person when deciding what OS
> should be used for what task, and not just someone advocating the use
> of something just for the sake of using it not really knowing why
> they advocate it other than the fact that they seem to have spent a
> lot of time advocating it and wouldn't like to see their efforts go
> to waste.
keep bashing and bashing and destroying your oppononts personality,
without specifying anything specific.
Contrary to what you think Arash, I am not a Linux zealot. I don't
advocate it's use everywhere. I have been advicing nearly all my
friends to buy a Mac as their desktop/laptop computer, and during the
last 6 months, two of them actualy listened to my advice, and now keep
thanking me for the choice that I recommended to them.
I am not even an OpenSource fanboy. I was involved in this project,
making a database of available houses in the city, so that students in
the university can easily find the right accomodatoin for themselves.
Having finished the DBMS course last semester, I was given the job of
choosing and setting up the database server, and I even didn't hesitate
in selecting Oracle. (MySQL sucks, PostgreSQL has the potential, but
isn't still there yet).
I actualy do believe in choosing the right tool for the right job. And
the reason that I advocate Linux, is because it IS the right tool for
the job, most of the times. And because I do care about choosing the
right tool, I am not that comfortable with BSD as the server OS, cause
I don't see it as a viable altenative for many tasks.
> Coming back to the real topic, stack smashing isn't the only security
> problem that exists and thats why openbsd uses cryptographically
> strong RNGs to generate PIDs and any other identifiers used within
> the OS, thats why openbsd encrypts IPC between local processes, that
> why openbsd gives applications the ability to define what things they
> can and/or can't do (ie execute exec and system), many of the things
> above have already been implemented in freebsd and netbsd.
Nice to know these technicalities. Still doesn't resolve the problems
that I mentioned above.
> > There certainly are specialized versions of Linux that are very
> > secure, like NASA's version.
>
> Again if you look at the blue print of implementations for the
> modification of linux in these distros you will see that all the
> "new" things are actually implementation of ideas which have already
> been implemented in openbsd. The main problem with linux security is
> one that resides in the kernel a lot has to be modified in the kernel
> before it can reach at point where one can say its secure enough to
> be a tool for consideration, thats not to say its not a good for
> multi- user environments ie: web-servers, it just means you need some
> kind of sand boxing around the server to protect it from the rest of
> the world.
>
> > And I personally don't agree with many of Theo de Raadt's extreme
> > ideas...
>
> which ideas? what on earth could this man have said that you feel
> you need to object? all he is interested in is integrating new crypto
> technologies in openbsd, i can't see how your ideological paths could
> ever cross.
>
> which of his ideas are extreme? is implementing an open, transparent,
> publicly scrutable and secure environment extreme?
Oh! I thought everybody just knew that the guy is insane. You certainly
haven't been on any OpenBSD mailing list.
http://www.alternet.org/print.html?StoryID=16351
Or google his name.
> > Agreed, even cracking needs a certain level of knowledge. Breaking
> > the DRM of a music format is for example, cracking. These are just
> > script kiddies.
>
> Incorrect again the DRM of any media can be broken easily without any
> need for "specialized" knowledge by intercepting the decoded media as
> its being sent to the device be it audio, video or text. That is the
> biggest problem facing media player manufacturers be them hardware or
> software. There is NO way one can stop such hacking, other than to
> allow it to happen then later on determine who let the copy of the
> media loose through traitor-tracing (digital watermarking the media
> with customer IDs)
OK, nice. But still I call all of this, CRACKING. And I don't think it
is wrong, and I think it falls under fair use in the copyright law
(though DMCA might make it illegal).
> In fact there was an article several months ago about a group that
> was removing DRM from WMAs by intercepting the buffered sound stream
> as it was being sent to the sound card interface. This allowed them
> to resave the file with the same quality as it was sampled in the DRM
> protected WMA.
They have cracked WMA, and RA so many times. Nothing new. Now everybody
is trying to hack/crack Apple AAC, and the efforts haven't been
fruitless.
>MS removed the API call from their offical APIs, but
> you can still intercept the data by masquerading as a sound card
> driver and receiving the rawdata then saving it as a WAV then
> converting to mp3 etc...
That will result in a bit of loss of quality. There is even a 3rd party
program on Mac OS X (forgot the name), that auticamticaly does this.
Play a file wit it, it just captures the output of soundcard, and turns
it into raw WAV. However, this method menas a little loss of quality.
Anyway, how is this relevant?
> The problem here is that once the security flaw can be compromised
> automatically (ie: some guy discovers it and create a little app that
> exploits it, and the code for the exploit gets in the open) then
> simpletons gain access to it and go around wreaking havoc or attempt
> to wreak havoc.
True. However the guy which discovers the flaw, is a hacker/cracker. And
as I said, I don't see how this is relevant to our conversation.
I already agreed with you, that those who just use a flaw in a CMS
aren't really crackers, but just script kiddies. What part of my
statement are you exactly complaining about?
> > PHP-Nuke is desined with insecurity in mind :-)
>
> So what?
It was supposed to be humourus. Read that sign in the end of the
statement? it's called smiley. There was no need for you to say 'so
what?'.
>
>
>
> Regards
I am putting the ML again on CC, cause I don't think it is irrelevant
for the ML.
>
>
> Arash
Cheers
Aryan
>
> __________________________________________________
> Be one who knows what they don't know,
> Instead of being one who knows not what they don't know,
> Thinking they know everything about all things.
> http://www.partow.net
>
> Aryan Ameri wrote:
> > On Wednesday 07 April 2004 01:05, Arash Partow wrote:
> >>A quick search on google for K-A(IRANIAN HACKERS) shows they've
> >>done some other sites as well. This is probably another reason
> >>why one should go to openbsd for server.
> >
> > C'mmon, let's not turn this in to a distro/OS war. I have nothing
> > against *BSDs, I certainly applaud the work of the OpenBSD team,
> > and their apprach to security, But this has nothing to do with the
> > OS. There certainly are specialized versions of Linux that are
> > very secure, like NASA's version.
> >
> >>In any case they are
> >>not hackers or crackers they are just simple script kiddies
> >>with too much time on their hands.
> >
> > Agreed, even cracking needs a certain level of knowledge. Breaking
> > the DRM of a music format is for example, cracking. These are just
> > script kiddies.
> >
> >>Noting some sites that have been hacked by them, the thing
> >>in common with all these sites was php-nuke...
> >
> > PHP-Nuke is desined with insecurity in mind :-)
--
<!-- People can always be brought to the bidding of the leaders. That
is easy. All you have to do is tell them they are being attacked, and
denounce the pacifists for lack of patriotism, and exposing the country
to greater danger."
-- Herman Goering -->
Aryan Ameri
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: [linuxiran] www.pclinuxonline.com hacked by Iranians, what a shame!!,
Aryan Ameri <=