hitest Posted April 14, 2006 Report Share Posted April 14, 2006 Interesting article. I'm not an engineer or a windows expert for that matter. The pictures are intriguing. What do you think about the statements made in the article jcl, iccaros? Is it true that windows is harder to secure? I think windows is harder to secure, but, I'm very biased in favour of Linux.link to article Quote Link to post Share on other sites
jcl Posted April 15, 2006 Report Share Posted April 15, 2006 (edited) The pictures are intriguing.Unfortunately that's exactly what they are: intriguing. The article doesn't explain what the graphs represent ("system calls" is pretty damn vague) and the labels on the nodes (I assume those bars are labels) are illegible.What do you think about the statements made in the article jcl, iccaros?I think it's a troll. Unintentional, perhaps, but a troll nonetheless. Edited April 15, 2006 by jcl Quote Link to post Share on other sites
iccaros Posted April 15, 2006 Report Share Posted April 15, 2006 Interesting article. I'm not an engineer or a windows expert for that matter. The pictures are intriguing. What do you think about the statements made in the article jcl, iccaros? Is it true that windows is harder to secure? I think windows is harder to secure, but, I'm very biased in favour of Linux.link to articleheheh .... great way to start a blood war... I feel windows is not secured because 1) a MCSE does not teach best security methods (I have two of them.. one for NT4 and one for Windows 2000), it teaches best way to sell your management people on Windows. I have meet lots of MCSE's who really know nothing about computers.. they know the key words.. maybe even build a computer, but when it comes to the guts, what the kernel does at boot, do they know windows does not ask for an address until you login, do they know that a windows network mount is in user space and as such is really hard to write programs to use mounts. its knowledge that keeps a system secure, its understanding connections and the flow of events. most Windows Administrators really have no clue (I have to say the same for most Government UNIX Administrators as they only know the few task they do at work)It rare to find people who really understand and know the windows system, I have found windows admins who can make windows do anything they want, but not understand simple concepts, like terminal services is a gaping hole and needs to be secured behind firewalls. windows in its goal to become simple for anyone to use, has become harder to secure. Mac OSX is in the same boat. While most Mac installs are safe, have them put them up as web server, and see how many Mac users assume that the system is already secure and not do the homework and test to make sure.. when was the last time at anyones work, did they do penetration test. when did anyone say, we cant use active X or windows host scripting on a web server?? its a path to the system... never ah...the complexity of IIS is because its it so tightly interwoven into the OS, apache rides on top of a OS, IIS is stitched into the heart when installed. also I believe Visual studio is to blame for some of this, its easy ... anyone can write code... great tool when used correctly, but too easy to write crap code.my two cents... Quote Link to post Share on other sites
hitest Posted April 15, 2006 Author Report Share Posted April 15, 2006 The pictures are intriguing.Unfortunately that's exactly what they are: intriguing. The article doesn't explain what the graphs represent ("system calls" is pretty damn vague) and the labels on the nodes (I assume those bars are labels) are illegible.What do you think about the statements made in the article jcl, iccaros?I think it's a troll. Unintentional, perhaps, but a troll nonetheless.Thanks, jcl. I'm also a bit curious about the credentials of the writer. This is posted as a blog, but, does not shed a lot of information on the background, knowledge base of the OP. This article is linked to from osnew.com. I like the system call pictures, but, like you don't fully understand what they mean. Interesting stuff:-) Quote Link to post Share on other sites
hitest Posted April 15, 2006 Author Report Share Posted April 15, 2006 Interesting article. I'm not an engineer or a windows expert for that matter. The pictures are intriguing. What do you think about the statements made in the article jcl, iccaros? Is it true that windows is harder to secure? I think windows is harder to secure, but, I'm very biased in favour of Linux.link to articleheheh .... great way to start a blood war... I feel windows is not secured because 1) a MCSE does not teach best security methods (I have two of them.. one for NT4 and one for Windows 2000), it teaches best way to sell your management people on Windows. I have meet lots of MCSE's who really know nothing about computers.. they know the key words.. maybe even build a computer, but when it comes to the guts, what the kernel does at boot, do they know windows does not ask for an address until you login, do they know that a windows network mount is in user space and as such is really hard to write programs to use mounts. its knowledge that keeps a system secure, its understanding connections and the flow of events. most Windows Administrators really have no clue (I have to say the same for most Government UNIX Administrators as they only know the few task they do at work)It rare to find people who really understand and know the windows system, I have found windows admins who can make windows do anything they want, but not understand simple concepts, like terminal services is a gaping hole and needs to be secured behind firewalls. windows in its goal to become simple for anyone to use, has become harder to secure. Mac OSX is in the same boat. While most Mac installs are safe, have them put them up as web server, and see how many Mac users assume that the system is already secure and not do the homework and test to make sure.. when was the last time at anyones work, did they do penetration test. when did anyone say, we cant use active X or windows host scripting on a web server?? its a path to the system... never ah...the complexity of IIS is because its it so tightly interwoven into the OS, apache rides on top of a OS, IIS is stitched into the heart when installed. also I believe Visual studio is to blame for some of this, its easy ... anyone can write code... great tool when used correctly, but too easy to write crap code.my two cents...Heh-heh, Yes, iccaros that's why I didn't post this in the windows section of the forum. I have respect for the windows experts and don't want to seem like a troll. I don't want to start a blood war.Thank you very much for your reply, iccaros. I really like hearing what master users like you and jcl think! It is very interesting to hear your point of view as a sysadmin. As a casual Linux hobbyist I'm not aware of a lot of the deeper issues.I agree with your point of view about windows. I was not aware that OS X needed work to be ready to be a web server. I like your thoughts about doing security tests on your servers, penetration tests, and determining that your servers are indeed bullet proof. You are saying that sysadmins should battle test their network and not assume that everything is secure. That makes sense to me.Very cool stuff, iccaros Quote Link to post Share on other sites
TheTerrorist_75 Posted April 15, 2006 Report Share Posted April 15, 2006 (edited) Any OS improperly setup and used is insecure. The normal users are the ones at risk. You can take someone new to Linux, Mac and Windows unknowingly run a system open to attacks. I am not a true expert on any OS, but I can state none of my Windows PCs have ever been crippled due to outside forces in the past 6 years. That's not bad for someone who has only used a computer since 1998. Of course I haven't surfed for cracks, warez, and other such programs since 2000. The only Linux OS besides Live CD versions I have tried were Mandrake 8.1. I gave up on that after being chased out of the Linux forum at TechTV with the constant read the FAQ demand. Just as browsers, no operating system is more secure than another in the hands of someone ignorant in the setup and safe use of it. Edited April 15, 2006 by TheTerrorist_75 Quote Link to post Share on other sites
shanenin Posted April 15, 2006 Report Share Posted April 15, 2006 (edited) That's not bad for someone who has only used a computer since 1998.I got you beat in that area. I just started using the computer in November of 2002(day after thanksgiving day sale). I took to it like an obsession. Edited April 15, 2006 by shanenin Quote Link to post Share on other sites
hitest Posted April 15, 2006 Author Report Share Posted April 15, 2006 Any OS improperly setup and used is insecure. .Agreed! Well-said! I've been using computers, windows and macs for 10-15 years. I remember the excitement of being on dial-up, 14.4 with Netscape 1.0. Netscape 3.04 seemed like the perfect browser at the time. I've used Linux for a little under four years. I'm no expert, but, a Linux hobbyist who likes to play with different OSs. Quote Link to post Share on other sites
jcl Posted April 15, 2006 Report Share Posted April 15, 2006 (edited) Thanks, jcl. I'm also a bit curious about the credentials of the writer. This is posted as a blog, but, does not shed a lot of information on the background, knowledge base of the OP.His background looks okay. His ZD bio doesn't hint at any actual qualifications but that's not unusual. But we're treading close to argumentum ad hominem. His credentials are irrelevant to his argument.Like I said, it could have been unintentionally trollish, a valid point compromised by a terrible presentation. Except... his comments about system calls, memory access, and buffer overflows are weird. Not really wrong but weird. It could be because he's writing for a layman audience I suppose.This article is linked to from osnew.com.It was the response from OSNews that inspired me to call it a troll. The comments there read like the reaction to a successful troll. Edited April 15, 2006 by jcl Quote Link to post Share on other sites
hitest Posted April 16, 2006 Author Report Share Posted April 16, 2006 It was the response from OSNews that inspired me to call it a troll. The comments there read like the reaction to a successful troll.Yes, I read those comments too at osnews.com, they were very animated indeed. If he is a troll he certainly riled them up and accomplished his goal. Quote Link to post Share on other sites
jcl Posted April 16, 2006 Report Share Posted April 16, 2006 (edited) Bored. strace'd Apache serving my (tiny) home page. Comments in brackets. Still don't understand his graphs.<accept resumed>getsocknamefcntl64 [get socket flags]fcntl64 [set socket non-blocking]read [failed read on socket]poll [wait on socket]read [read on socket, get the HTTP request]gettimeofdayopen [/etc/passwd]fcntl64 [get /etc/passwd close-on-exec flag]fcntl64 [set /etc/passwd close-on-exec flag]_llseek [no-op]fstat64 [get /etc/passwd status]mmap2 [mmap /etc/passwd]_llseek [seek in /etc/passwd]munmap [unmap /etc/passwd]close [/etc/passwd]stat64 [stat index.html]open [.htaccess]fstat64 [.htaccess]read [.htaccess]read [.htaccess]close [.htaccess]lstat64 [index.html]open [/etc/passwd]fcntl64 [get /etc/passwd close-on-exec flag]fcntl64 [set /etc/passwd close-on-exec flag]_llseek [/etc/passwd]fstat64 [/etc/passwd]mmap2 [/etc/passwd]_llseek [/etc/passwd]munmap [/etc/passwd]close [/etc/passwd]open [index.html]mmap2 [index.html]writev [write HTTP headers + contents of index.html to socket]munmap [index.html]read [failed read on socket]write [log, I think]close [/etc/passwd again?]poll [wait on socket]read [favicon request]gettimeofdaystat64 [favicon isn't at /var/www/favicon...]lstat64 [...walking /var...]lstat64 [.../var/www...]lstat64 [...and the favicon still isn't at /var/www/favicon.ico]open [/var/www]fstat64 [/var/www]fcntl64 [get /var/www close-on-exec]getdents64 [read /var/www, still looking for /var/www/favicon.ico?]getdents64 [finish reading]close [/var/www]gettimeofdaywrite [log again, I think]writev [socket, 404 on the favicon]read [failed read on socket]write [log]poll [waiting on socket, stopped strace'ing here because the connection will linger for a while]Extra credit if you can see the big userspace function call. Double extra credit if you can guess which function it is.Aside: Super fun "Apache spawns 47 processes to be a PITA" strace invocation:$ ps auxc | grep apache | awk '{print $2}' | xargs -n 1 echo -p | xargs sudo strace -o trace Edited April 16, 2006 by jcl Quote Link to post Share on other sites
iccaros Posted April 16, 2006 Report Share Posted April 16, 2006 I see a lot of file systems stuff and writing to sockets, are you talking about read,close ,open,fcntl64, write,mmap2are all user space kernel calls.. and why you should create a user with no shell that runs apache. with fcntl64 are you running perl or PHP? Quote Link to post Share on other sites
jcl Posted April 17, 2006 Report Share Posted April 17, 2006 (edited) And here's IIS 5.1 on WinXP. Fewer comments because the NT syscall interface isn't well-documented and I'm not set up for debugging.<coming out of NtWaitForSingleObject> NtQueryInformationToken NtSetInformationThread [switching impersonated user, similar to su'ing to different user] NtQueryAttributesFile [file attr for /] NtCreateFile [open /] NtQuerySecurityObject [on /, getting required buffer size] NtQuerySecurityObject [on /, with buffer] NtQueryVolumeInformationFile [on /] NtQueryInformationFile [on /] NtSetInformationThread [switching impersonated user] NtQueryInformationToken NtSetInformationThread [switching impersonated user] NtCreateFile [open /default.htm, doesn't exist] NtSetInformationThread [switching impersonated user] NtQueryInformationToken NtSetInformationThread [switching impersonated user] NtCreateFile [open /default.asp, also doesn't exist] NtSetInformationThread [switching impersonated user] NtQueryInformationToken NtSetInformationThread [switching impersonated user] NtCreateFile [open /index.htm] NtQuerySecurityObject [/index.htm, checking required buffer size] NtQuerySecurityObject [/index.htm, with buffer] NtQueryVolumeInformationFile [/index.htm] NtQueryInformationFile [/index.htm] NtSetInformationThread [switching impersonated user] NtClose [/index.htm] NtClose [/] NtQueryInformationToken NtSetInformationThread [switching impersonated user] NtCreateFile [/index.htm] NtQuerySecurityObject [/index.htm, checking required buffer size] NtQuerySecurityObject [/index.htm, with buffer] NtQueryVolumeInformationFile [/index.htm] NtQueryInformationFile [/index.htm] NtSetInformationThread [switching impersonated user] NtQueryInformationToken NtSetInformationThread [switching impersonated user] NtSetInformationThread [switching impersonated user] NtDeviceIoControlFile [i think this is initiating an I/O op...] NtRemoveIoCompletion [...that's completed here] NtClose [/index.htm] NtFlushVirtualMemory NtDeviceIoControlFile [same as above...] NtRemoveIoCompletion [...and again]That's 14 fewer system calls than Apache and one more entry point. Around 22 of the 45 syscalls are related to security. It's possible that there's more happening here -- maybe a kernel-mode subsystem that didn't show up in the trace -- but it looks pretty good. Edited April 17, 2006 by jcl Quote Link to post Share on other sites
jcl Posted April 17, 2006 Report Share Posted April 17, 2006 I see a lot of file systems stuff and writing to sockets, are you talking about read,close ,open,fcntl64, write,mmap2You mean the "big userspace function call"? I meant the two identical sequences at lines 9-17 and 25-33. Looks like one of the libc passwd functions.with fcntl64 are you running perl or PHP?That's just Apache fiddling with file descriptors. It's a static page in no-scripting directory. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.