Mailing List Archive

>You can easily track down all data acquired by "basc" to single systems.

I don't understand how you are making the leap from an anonymous hostname to
an attackable IP address?

-d
--
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org
"...the number of UNIX installations has grown to 10, with more expected..."
- Dennis Ritchie and Ken Thompson, June 1972

What you're saying is that having people voluntarily post their system
information and .configs on the web is a security flaw.

Well, OK. It's a risk, yes. But firstly, gentoo-stats is not an
official Gentoo project, and second, it's voluntary. It's not as if
Gentoo installs a backdoor that posts all your personal information on
the web. I think that the chance of this being an issue for even the
most paranoid person is pretty slim.

This discussion happened to remind me of a quote I think is kinda
relevent, though. So says Bruce Schneier,

If I take a letter, lock it in a safe, hide the safe
somewhere in New York, then tell you to read the letter,
that's not security. That's obscurity. On the other hand, if
I take a letter and lock it in a safe, and then give you the
safe along with the design specifications of the safe and a
hundred identical safes with their combinations so that you
and the world's best safe crackers can study the locking
mechanism--and you still can't open the safe and read the
letter--that's security.

I admit that every bit of security helps, and we shouldn't trade our
systems' integrity for mere bravado, but at the risk of seeming
dismissive, I just really don't think that configs and installed
packages are a big deal.

Thanks for pointing it out, though. I'm sure people will now consider
more carefully the effect of posting this information.

--
Dan Margolis
Gentoo Security/Audit

darren kirby wrote:

>>You can easily track down all data acquired by "basc" to single systems.
>
> I don't understand how you are making the leap from an anonymous hostname to
> an attackable IP address?

There are real, complete hostnames in this database. Search and you
shall find. "Leaping" is therefore not very difficult. Given GWN
publicity we can expect the number of people putting real full IDs in
gentoo-stats to increase dramatically.

This should (at the very least) be fully anonymized using faceless ID
numbers.

--
Koon

Dan Margolis wrote:

> What you're saying is that having people voluntarily post their system
> information and .configs on the web is a security flaw.
>
> Well, OK. It's a risk, yes. But firstly, gentoo-stats is not an
> official Gentoo project, and second, it's voluntary.

Even if it's not, it sounds like an official Gentoo project. It makes
use of the Gentoo name and it was publicized on GWN.

Having a database of careless users security-unconscious enough to
participate to this and post their real hostname, along with all the
packages installed, makes life very easy for attackers.

If a few machines are compromised using this database to precisely
target vulnerable machines, /. will remember the GWN, the "gentoo" in
gentoo-stats and the fact that we included it in Portage. Not that we
warned against it and that it wasn't "an official" Gentoo project.

We'll be the distribution that made life easier for attackers. You're
right not using it won't make those users any more secure, but it will
still make them a lot less likely target for automated tools.

--
Thierry Carrez (Koon)
Operational Manager, Gentoo Linux Security

Thierry Carrez <koon@gentoo.org> writes:

> There are real, complete hostnames in this database. Search and you
> shall find. "Leaping" is therefore not very difficult. Given GWN
> publicity we can expect the number of people putting real full IDs in
> gentoo-stats to increase dramatically.

I assume that by 'complete hostname' you mean the FQDN (Fully
Qualified Domain Name). Looking at my entry it only shows the hostname
not the domain part. So maybe the problem is that whoever set up the
systems showing the 'full hostname' either did not appreciate that
normally the hostname and the domain name are set up separately, or
they had specific reason for setting the domain name as part of the
hostname.

--
gentoo-security@gentoo.org mailing list

Thierry Carrez wrote:
> darren kirby wrote:
>
>>I don't understand how you are making the leap from an anonymous hostname to
>>an attackable IP address?
>
>
> There are real, complete hostnames in this database. Search and you
> shall find.

I am well known for being thick, so can you please help me here?
I emerged the basc package, and just ran it.
On the database I can search for my two machines by their hostnames.

But... I can't see any piece of information that gives a domain name, an
IP address, or anything from which these can be deduced.

You say I am advertising my machines for attack - could you show me
where this information is please?

Thanks
Ian

--
gentoo-security@gentoo.org mailing list

Ian Pickworth wrote:

> I am well known for being thick, so can you please help me here?
> I emerged the basc package, and just ran it.
> On the database I can search for my two machines by their hostnames.
>
> But... I can't see any piece of information that gives a domain name, an
> IP address, or anything from which these can be deduced.
>
> You say I am advertising my machines for attack - could you show me
> where this information is please?

Oh no. I'm not telling *every* BASC user is advertising his machines for
attack. I'm telling *some* BASC users inadvertently will. In fact, 6% of
them currently do.

Replacing "hostnames" (that apparently *can* contain FQDN) by anonymous
ID numbers should solve that issue.

--
Koon

Hi

On Donnerstag, 30. Dezember 2004 11.46, Thierry Carrez wrote:
> Oh no. I'm not telling *every* BASC user is advertising his machines
> for attack. I'm telling *some* BASC users inadvertently will. In
> fact, 6% of them currently do.
>
> Replacing "hostnames" (that apparently *can* contain FQDN) by
> anonymous ID numbers should solve that issue.

Thanks for this thread.

I was one of those 6%, at least with one computer (it's fixed now).

I wasn't aware that /etc/env.d/01hostname was used to determine the
hostname (as opposed to `hostname`). Neither was I aware that the FQDN
was exported to the database (naïve, ok). And even more, I don't know
what idea got me when I entered the FQDN into /etc/env.d/hostname 8p.

I guess it'd be helpful for dummies like myself to have basc warn about
this. I'll open a bug report about it.

Cheers
Urs

--
Urs Joss
4055 Basel

--
gentoo-security@gentoo.org mailing list

On Donnerstag, 30. Dezember 2004 11.54, Urs Joss wrote:
> I'll open a bug report about it.

Done. See Bug 76123 on http://bugs.gentoo.org/show_bug.cgi?id=76123

Cheers and regards
Urs

--
Urs Joss
4055 Basel

--
gentoo-security@gentoo.org mailing list

Thierry Carrez wrote:

> Replacing "hostnames" (that apparently *can* contain FQDN) by anonymous
> ID numbers should solve that issue.

Please note that the site is under correction, sensitive information
should disappear soon.

--
Koon

Dan Margolis wrote:
> I admit that every bit of security helps, and we shouldn't trade our
> systems' integrity for mere bravado, but at the risk of seeming
> dismissive, I just really don't think that configs and installed
> packages are a big deal.

Koon already dealt with the other points, but I'd like to mention that the
website also seems to report which kernel a box is running.

There have been a few major kernel vulnerabilities lately, and using that
statistics website to find a box with a vulnerable one doesn't seem all that
hard anymore...

I doesn't seem that the site reports version numbers, so thats alright, but
using an apparently "Official Gentoo" website to search for machines to crack
doesn't look very good...

--
[Name ] :: [Matan I. Peled ]
[Location ] :: [Israel ]
[Public Key] :: [0xD6F42CA5 ]
[Keyserver ] :: [keyserver.kjsl.com]
encrypted/signed plain text preferred

On Thu, Dec 30, 2004 at 10:47:26AM +0100, Thierry Carrez wrote:
> Even if it's not, it sounds like an official Gentoo project. It makes
> use of the Gentoo name and it was publicized on GWN.

That's the only issue here. I don't see this software as an issue
within the purview of the Security Team, but rather the Gentoo
Foundation. The *only* issue I see is that they imply that they are an
official Gentoo project.

> If a few machines are compromised using this database to precisely
> target vulnerable machines, /. will remember the GWN, the "gentoo" in
> gentoo-stats and the fact that we included it in Portage. Not that we
> warned against it and that it wasn't "an official" Gentoo project.

Practically speaking, nobody would know if they were compromised
because of this, most likely, so /. *won't* remember this.

But regardless, Slashdot doesn't make the design decisions here. If
they did, Gentoo wouldn't be a very good distro (hey, you know me--I
can't resist a good jab at everybody's favorite zealot-fest).

> We'll be the distribution that made life easier for attackers. You're
> right not using it won't make those users any more secure, but it will
> still make them a lot less likely target for automated tools.

A brief summary of packages we ship that, probably in their default
configurations, make life easier for attackers:

net-misc/netkit-telnetd
any imap server
any pop server
any webmail software that doesn't require mod_ssl
any ftp server
any smtp server

Like I said, we give users enough rope to hang themselves. If we
didn't, it wouldn't be a usable distro.

The point I'm trying to make here is that this is a policy-level
issue: do we ship software that we ourselves wouldn't trust or use?
And the answer is, of course. So it's odd and inconsistent to make a
fuss about gentoo-stats, but not about RealOne (as an example of
something that might well contain spyware) or, really, all the
software in portage that we haven't audited to verify that it does not
contain a backdoor.

So this is why I don't feel that as a criterea, we can ban everything
that *we* judge to violate privacy. Clearly, some users *know* what
stats are reported and don't care. They voluntarily elect to install
it, and we force them to go edit their package masks because we think
it's in their best interests to not install it. Gentoo is not about
playing big brother, and, despite however Slashdot might interpret
this, I think *removing* this package is more heavy-handed than
allowing it.

However, I fully agree that there are trademark issues. I just feel
that if the trademark issue is resolved, the rest is resolved as
well.

Anyway, apparently the rest of the developer team disagrees with me,
so, whatever. I wasn't gonna use this software anyway. ;)
--
Dan Margolis
Gentoo Security/Audit