Here are my notes from the Usenix LISA XI conference in Monterrey, CA.
I try to identify speakers, but still missed some, and there are parts
missing (I tend to stop taking notes if things get so interesting I
forget what I'm supposed to be doing.} Comments which I added later are
in square brackets.
CERT BOF, 1830, 21 September, 1995
Ed DeHart of CERT started the CERT BOF by joking that the annual
Sendmail-LISA CERT Alert had come out [a problem with SunOS sendmail
when used with the -oR option]. Someone pointed out that last year it
wasn't exactly sendmail, but rather Majordomo's use of sendmail that
prompted the alert.
DeHart mentioned the latest release of sendmail, 8.7, which prompted
yet-another comment--a person claimed that Marcus Ranum had a two line
Perl script which would overflow a gets()-style buffer in the latest
release. Ranum came in a few minutes later, but did not comment on
this assertion in front of the group.
Syslog is considered by the CERT to be the other current problem. [It
is actually not the syslog daemon that's the problem, but the subroutine
which gets called by applications to communicate with syslog.]
DeHart next stated that CERT is primarily interested in infrastructure
problems, for example, people breaking into ISP's [Internet Service
Providers]. He hinted that CERT's role would be changing from incident
response to incident collection, infrastructure improvements, and working
with vendors to fix problems.
Which prompted a question about vendors, why they still delivered
insecure versions of their operating systems. DeHart answered that
customers must demand securely configured operating systems before
vendors will be willing to deliver them. He mentioned a paper delivered
the day before, by a security administrator from Sun, who said that
SunSoft was not currently planning to improve the security of their
delivered products because surveys of customers indicated that security
was not an important consideration when buying OS products. [I'd asked
the same question several years ago and got the same answer--when
customers demand security, Sun will deliver it.]
DeHart pointed out that vendors whose name appear most regularly in CERT
advisories are cooperating with CERT. A prominent UNIX vendor which
has no CERT advisories simply means the vendor is not cooperating with CERT.
The tool apparently used during the Tsutomo Shimomura breakin is being
widely distributed. The tool takes advantage of 'r' commands (rlogin,
rsh), even if protected by tcp_wrappers or netacl, by using IP source
address spoofing. The interface makes this cracking tool easy-to-use,
asking for the name of host to breakinto, and the name of the trusted
host to masquerade as.
DeHart repeated something he has said many times before--do the simple
things, and the crackers will go elsewhere. "Why spend 10 minutes when
they can take 30 seconds to get in?" [Perhaps this seems a little
unfair, but only about 70% of large, commercial sites have any type of
firewall (CSI report). And people are always adding new systems to the
network without checking them first for security.] The Berkeley 'r'
commands, NFS, are not secure.
Question: What about Macs, NT, Windows 95? DeHart answered that we may
start seeing things, but so far they are mostly clients. Client
software is not susceptible to direct attacks.
Question: Will you report things like Word Virus? DeHart said not
currently. Can't deal with every PC bug.
There are about 12,000 addresses on the CERT mailing list for
advisories, and 50 parallel queues are used to deliver alerts (which
takes one-two hours). The CERT tools mailing list has been inactive for
months, and may not be re-opened.
Firewalls BOF, 1833, 21 Sept, 1995
Brent Chapman takes over, starting off with the brief history of the BOF
(started at the Third Usenix Security Symposium in Baltimore three
years ago). Currently 8,000 subscribers to firewalls, with perhaps
Carson Gaspar, of Lehman Brothers, next got things off to a lively
start. [Gaspar is a frequent poster to the fwtk-users mailing list.]
Carson asked the audience [about 110 persons] if he should rewrite the
ftp-gw proxy, part of the Firewall Toolkit, to do passive ftp? Or
should he work with Brimstone SOS [which also has a license similar to
TIS for their proxies, but fewer services], because the code quality is
better. Securitywise, fwtk is good. But return codes are never
checked--when a proxy fails, it fails silently. [For some reason, he
doesn't know who wrote this "poor quality code".]
Marcus Ranum, steps forward, and says he wrote most of the code [his
name appears in most proxies except http-gw]. There is no explosion,
just tension and anticipation in the air. Carson then does an informal
survey. How many have commercial firewalls, how many have 'home-grown'
firewalls, how many have no firewall? About as many have commercial
products (~15) as have no firewall. More than three times as many have
'home-grown' firewalls. [In CSI's survey, 12% used TIS fwtk, and 16% stated
other, which probably includes a lot of SOCKS users, because SOCKS
wasn't listed as a category. So a Usenix LISA BOF was unsurprisingly
different than the CSI survey, which included large, not predominatly
UNIX, sites, and showed about 60-70% commercial firewall products.]
Brent Chapman commented on the licensing problem involved in publicky
available software, such as Majordomo, or the Firewall toolkit.
Marcus Ranum stated that one major concern was divergent versions.
There were no security problems with the toolkit per se, but there were
known problems--many of which were dealt with in Gauntlet 3.0. [No one
mentioned that the issue of how to proceed with extending the toolkit,
or supporting it, was thoroughly hashed out during the Usenix Security
Symposium at Salt Lake City. Chapman does comment:]
"I for one do not want to go down that road again."
Gaspar hasn't given up yet, and wants to distribute code. Ranum
comes back again by saying the unreleased code base has diverged
enormously, so hard to know if what you are fixing has already been
[Question: Has anyone used plug-gw to push notes through a firewall?]
Alan Hannon, of Midnet, said he had done so, and plug-gw works fine for
anything that is many-to-one.
I asked Chapman about the syslog problem. He responded that the problem
is NOT in the sylog daemon, but in the function call library itself.
CSRG [Computer Science Research Group at Berkely, which I thought had
disbanded] threatened to go through all the [UNIX] code and remove all
unbounded string copies [the problem], but gave up. [snprintf the
solution, pointed out a particpant in the front row.]
Ranum steps onto the soapbox and states the "C is not a secure language,
and UNIX is not a secure operating system. We're in the sendmail bug-of-
the-month club because of this." Software engineers need to grow up.
Hannon quips that this is like the hazardous waste industry--we're stuck
with what we have. Ranum retorts that the user community is still
buying toxic waste as fast as it can. Someone else asks, what about
using ADA on NT? Ranum apparently ignores this, saying that for some
applications, UNIX and C are not sufficient.
Another person I labeled said that he recommended a client buy
Gauntlet. The client did, then insisted that they permit IRC through
the firewall. TIS disagreed, the consultant disgreed, but IRC was
rammed through anyway.
Hannon asked what do people do about modems? Someone, a defense
contractor, said they had to fire someone to make people take notice of
the no modem policy. Carson said Lehman implemented a dial-out modem
pool, which is audited. Hannon said he worked hard so users would not
WANT a modem. Carson stated that they dial all lines, using numbers
acquired from facilities management, looking for modems. Two persons
were 'let go'. Another got a slap on the wrist for a 'technical
Chapman said that policy is a management issue [his new book has a great
chapter on policy, BTW]. Ranum responded by saying you need to get a
letter from the biggest, hottest person saying why the policy is
important, and then get approval from the highest ranking management
(president, vice-president) possible.
Sal Collora asked what is the real threat posed by modems? Who is going
to sit around dialing phone numbers looking for modems?
Hannon answers that he hasn't met enough dweebs. [I think, hasn't he
heard of demon dialers, invented for the Apple II in the late '70's?]
Ranum answered that he'd seen two firewall hosts broken into, both
because modem-based attacks had been used to sniff passwords. He also
said he has seen networks where the firewall host was the ONLY secure
Chapman also answered the question by saying that not publishing modem
numbers was security through obscurity. Assume the problem is an
insider or an ex-employee. Collora said he'd only been at this job two
months, and didn't want to beat his head against the wall.
John [jco @
com] recommended doing a cost analysis. No sense
building a fort protecting a dandylion. Chapman pointed out that just
the cost of restoring the data would justify a firewall in most cases
[one of my favorite points]. Secrecy, data integrity, and availability
are reasons for security. Why do you keep the data if you don't need it?.
John said he is worried about demon dialing. And that his site was
fifth to be attached to the ARPANET, and they argued long and hard about
putting in packet filters, not even a firewall [the company which owned
that site now sells firewalls]. Ranum asked why they decided to add
protection, to which John didn't respond.
Another survey. How many here have done some form of risk assessment?
Around 20%. Have a site security policy? 20% Have that policy signed
and approved by corporate officer? Only two hands go up.
Chapman points out that every site has a security policy, even if it's
not written. Ranum then makes certain people are still awake. He
mentions that in five years, lawyers will be able to sue for recovery of
damages for a breakin. When there is a body-of-law available, they can
slap suits without any effort. Likened this to soft body tissue damage.
[Another of my favorite points. You have a network which is
unprotected. Someone uses your network to breakinto another network, so
the attack comes from your site. Who gets sued? Who has deep pockets?]
Another unidentified particpant said that it is hard to keep people from
screwing up machines. Chapman said you've got to do auditing. Carson,
responding to a question I didn't note, said security is an iterative
problem. Pick the two biggest problems and fix them. Then go on, pick
the next two top things, and fix those, and so on. He sleeps soundly at
night because he has three layers of protection [in Lehman's firewall?].
Ranum asks "Does Lehman have Flowtrans?" What scares Ranum is that the
Internet is often behind the firewall. Private connections, connections
to other organizations which are connected to the Internet. The Plan 9
guys, the Athena guys, have it right. Put security at the presentation
John pointed out that Ranum was saying six or seven years until
firewalls won't be needed, and now [several years later], he is saying
three or four years. Ranum answered by saying that security has got to
be everywhere. Someone wants fascinating thing X. Rather than simply
providing it, need to make a service oriented requirements analysis to
see if they really need X, and how to get data to X. Real purpose of a
firewall is to provide service. The six main services are Mail, Web,
FTP, Telnet, News, and DNS.
Another speaker said you can't control clients, to which Ranum responded
"The only way to solve bad management is to become it."
John pointed out that human engineering was the method used in the movie
Hackers, the movie, to get the modem pool number. NEARNet has had to
deal with this. Their NOC [Network Operations Center] is one of the
largest in the world. They went ahead and did a cost analysis which
included the possibility that someone would set off a car bomb outside.
They concluded it wasn't worth building a bunker in the middle of Cambridge.
Collora said he's interested in moving to NT. Chapman said that you
should always pick the platform you are most familiar with. There are
more tools on UNIX than anything else. But if you don't have UNIX
expertise, you're in a tough position. Collora said that he would be
happy to buy something, then have a vendor to point a finger at. John
asked if he'd ever read a software license agreement, where the only
warranty is on the media used for distribution of the software.
And, amazingly enough, the meeting broke up in time for the reception in
the Monterrey Aquarium at 2000.