"All or nothing" Re: tlug: "Linux myths"

["Adrian D. Havill" <havill@example.com>]

Oooo, this really burned my bacon.

(this is kinda evangelism and off topic [I'd rather talk about Linux
that about other OS]-- basically I agree with Turnbull 120%, and have
some spleen to vent)

"Stephen J. Turnbull" wrote:
> 
> >>>>> "Chiew" == Chiew Farn Chung <cfchung@example.com> writes:
> 
>     Chiew> http://www.microsoft.com/ntserver/nts/news/msnw/LinuxMyths.asp
> 
> Linux is "hyped"?  My kudos to the guys who have spent their enormous
> ad budgets so well!
> 
> It's interesting that every single statement in the Security section
> is at best questionable.

especially the C2 security statement-- which is just plain false. In
English-- NT has the _capability_ to be "C2 secure" (which is abusing
the term, really)-- providing you meet VERY unrealistic requirements--
like not connect it to a LAN, and especially the internet. Which DQs
99.999% of most NT Servers.

If you're ever used the "C2Config" utility in the NT resource kit (which
costs extra, I might add-- freshly installed NT is nowhere near being C2
secure), you know that by locking down the registry, WINNT directory,
and such, you break a lot of Windows apps. (And just by using C2 Config,
you don't automatically become "C2 secure"-- there's still a lot of work
to do on the part of a sysadmin.

Thi is because a lot of apps, written by MS and "Certified for use with
95/NT" (often meaning they targeted it for 95 first and did a cursory
check to see if it runs on NT in a certain config), _rely_ on a lot of
dangerous registry sub-hives and keys to be open and many directories
(which shouldn't be world-writable, but are) to be writable (even if the
app doesn't write to the file, "locking" a file requires write
permission). Which means that a lot of apps, if you're C2 locked down,
have to run in as "Administrator" to get them to work properly.

"All or nothing" because even apps by MS, which are labeled by MS as
"for Windows 95/NT", don't work quite properly when not run as
Administrator... which probably means the development was either done
entirely on Win95 and tested only as "Administrator" with NT. So much
for security.

Notice the complaint in the above MS URL about the superuser system
being "All or nothing". They're borrowing the same line that was used to
criticize their ActiveX technology (which uses ONLY digital signing for
security and no "sandbox"... whereas Java uses digital signing AND
sandboxes for fine grade security).

NT has the same "all or nothing" problem as "superuser" system... except
to a greater degree because if ANY user account is compromised you can
do enough damage to NT (through the registry) to render it unusable and
unrecoverable except through a restore from backup tape.

To test this, try, as an NT administrator, to turn off write access to
everything in the "C:\WINNT" directory to all but Administrators. Lock
down the "root" directory as well.

A very reasonable security preventive measure, yes? Surely mere lusers
shouldn't be able to replace system DLLs and store their word processing
files in the root directory. Do this and watch MS "for Windows 95/NT
apps" break-- often with bizzare error messages (my favorite is "out of
disk space" on drives with gigs of space left-- apparently the 95
programmer makes the blanket assumption that if it can't write to the
root directory, the system must be out of disk space-- no bother to
check the actual error code returned or print the error string returned
by the system-- we need to "dumb down" the error message for the luser--
that doesn't occur on Win95 version of the Win32 API.

If the average NT admin told their boss, who had been sold by the "C2
lie" by MS marketing, "well, you can run Office on your NT workstation
_OR_ you can be C2 secure... and by the way, no connecting to the LAN,"
do you think the PHB is going to choose "C2 security?" All or nothing.

There ARE conceptual security dangers with the "root" style "all or
nothing" superuser problem in Linux, that has been rightly pointed out
by many old time mainframers, that are used to much more complex
division of OS rights-- the theory being that if one layer/ring of the
OS or one type of "administrator" is comprised, you haven't lost the
whole ship, only part of it.

*But* NTs ACL system does not solve this-- there are only two
"sub-admin" type groups in off-the-shelf NT, backup operators and power
users. You can modify the rights the ACLs have and divy up the rights,
but this is a lot of work and you're liable to create more problems
(apps breaking because of unexpected rights) than solve. NT
out-of-the-box currently sets up the Administrator as being the
equivalent of the Unix "root". Crack that account and you've hit the
jackpot. All or nothing.

In other words, if you actually want to implement the
pseudo-quasi-interleaved-rights style admin system that mainframes point
out as the weakness of Unix-style security that MS marketing is alluding
to in its FUD, you can forget about running your favorite MS apps.
Better custom design them, cause off the shelf apps are going to freak
out on install if the operator doesn't have what the app expects...
someone with "Administrator" (read, "superuser," "root", "all or
nothing")

But ACLs are neat and an improvement over the uid/gid coarse division,
IMO. (A feature I miss from my favorite proprietary SVR4 based OS)--
hopefully someday Linux will support them.

Another example of "all or nothing" are the so-called "service packs,"
which gratuitously "add" software such as IE/IIS-- which is outright
SOFTWARE BLACKMAIL-- "don't want IE? Fine, you can't get these bugs
fixed." Yet another reason why IE became so popular... NT people that
started with SP1 had no choice-- they needed the fixes in the service
packs, and didn't have a choice. The service pack doesn't quite give you
an option as to which things you "want to add."

You can even set the WINNT and root directory to allow people to ADD
files, but not change or delete (something that Unix/Linux style
security on ext2 can't do)-- many apps will still break because the
Win32 API requires a file to be "writable" to mutex lock it... hence
some key system files/registry entries are world writable because they
need to be "locked" by some apps... meaning that a malicious cracker
that has ordinary user privs (disgrunted worker) could replace a key
system file with a "trojan horse" for the Administrator to run.

Here's the sad and fundamental program with NT:

NT _according to the blueprints_ is conceptually secure. (And the kernel
design, according to the blueprints, is conceptually secure). The
problem is marketings hell bent determination to make NT run as many 95
apps as possible means that MS engineers had to compromise the
_implementation_ and intentionally not lock down the system as much as
it could (while still being able to claim it had security) to be
compatible with 95 programs (because NT needed the 95/3.1 software base
to be "marketable"), which don't expect things to be secure.

It is because of this deliberant marketing decision to compromise the
security in the name of software availability that NT can't be taken too
seriously as being "committed" to security.

Exactly how secure can an OS be that is designed to be backwards
compatible (as much as possible, at least) with software designed for
PC-era OSes (3.1, 95), that have absolutely ZERO security?

Kind of sad, really. I have no doubt in my mind that many of NTs
problems are not due to incompetence by MS's elite development staff
(they got the money to hire whomever they want after all), but by
marketing forcing development to bastardize the original plan "in the
name of marketshare."

Beware of tech companies where marketing has final say or is above
development (officially or unofficially) on the org chart. Marketing
people rarely have enough tech knowledge to see how their development
decisions (the "give the customers what they want and need"-- which is a
valid way of thinking, but they all too often sadly extend this to "if
it sells better, it must be what the customer really wants, and if the
customer wants it, it must be better than before", which is not
necessarily true), made without honesting listening to the developers
opinions (who are lower on the totem pole because they don't sell
product directly) affect the longer term "big picture."
-- 
Adrian HAVILL
PGP Key Fingerprint: D5B6 321C 0F82 117D EAC2 6D08 D942 FA38 7427 8195
-------------------------------------------------------------------
Next Technical Meeting: October 9 (Sat), 13:30   place: Temple Univ.
* Linux Internationalisation Initiative (Li18nux) speaker: Akio Kido
* Japanese TrueType Fonts                     speaker: Adrian Havill
Next Technical Meeting: November 13 (Sat), 13:30 place: Temple Univ.
* Network Security                               speaker: Steve Baur
Next Nomikai:  December 17 (Fri), 19:00 Tengu TokyoEkiMae 03-3275-3691
-------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan