Forwarded from: Eric Lee Green <ericat_private> Cc: jericoat_private, nicole.bellamyat_private On Friday 09 November 2001 01:57 am, InfoSec News wrote: > Forwarded from: security curmudgeon <jerichoat_private> > cc: nicole.bellamyat_private, errata submission <errataat_private> > > > http://www.zdnet.com/zdnn/stories/news/0,4586,2822782,00.html > > > > By Nicole Bellamy > > ZDNet Australia [press release masquerading as news] > > November 6, 2001 5:46 PM PT > > > > InterSect Alliance says it has developed the first integrated security > > auditing and event logging subsystem for the open source Linux operating > > system, beating much larger organizations to the punch. > Oh, so now its an IDS for Linux, and the first? > > So i guess LIDS (www.lids.org) doesn't count? > > And of course Marty over at Snort must be horribly disappointed by > this revelation. (www.snort.org) > > And damn, the folks from Tripwire must be sawing at their wrists too. > Tripwire was opensource and running on Linux when.. 1992 or 1993? Sigh. Jericho, I must thank you for writing the rebuttal that I felt like writing when I first saw this press release masquerading as news. I suppressed my urge to respond because if I responded to every clueless reporter out there I would have no time to do my real job (writing clustering software at the moment, though I have done security engineering in the past), but that was before I read Ms. Bellamy's extremely unprofessional response to a previous criticism. I have not in any way done any in-depth study of SNARE, since I am not its target market, but from reading a brief description, SNARE appears to be a useful tool, in that it apparently adds a user-friendly interface to already-existing intrusion detection tools such as SNORT and Tripwire (or perhaps their own re-implementations of those already-existing tools). However, it adds no new functionality to the Linux security world. Those of us who have been involved in Linux and Linux security for some time(my experience in the Linux world dates to 1995, and my first use of Unix was in 1985) will most probably not be in the target market for SNARE. We're already running arpwatch, snort, logwatch, tripwire, portwatch, Big Brother, etc. as well as (sometimes) our own home-brew software for intrusion detection. Some of us are even running the BSD accounting tools to look for suspicious commands as they are typed into the system, and EMAIL said reports to an outside address. An interesting and informative article could have been written starting with the above premise (i.e. that SNARE brings security out of the realm of security geeks into the realm of easy use by mere mortals). Unfortunately, such an article was not written. Frankly, if Ms. Bellamy consulted any "experts", they must have been a couple of pimply-faced kids at her local computer club, or marketroids at local computer "research" firms, rather than real Linux security experts (that is, people who have actually secured Linux systems). > > The two systems differ in that while a network-based intrusion > > detection tool enables the user to determine when an intrusion is > > being attempted, the host-based system allows the user to identify > > when an intrusion has been successful. > > Ok so we make the qualifiation of NIDS vs HIDS here, and that explains > Tripwire how? (snort!) Not to mention "logwatch" (which watches the log file for suspicious entries and reports them), or the BSD accounting tools, which can be programmed to report suspicious commands being typed in by users with a few lines of shell scripting and gratuitous grep abuse. > > The Snare auditing subsystem is designed to "enhance an > > organizations ability to detect suspicious activity by monitoring > > system and user actions", as stated in its release report. > > /yawn > > This is old news in the IDS field. Also old news in the Linux IDS > field. Old news in the Unix IDS world, for that matter. My system administrator at college used many of these same mechanisms -- in 1985! (Particularly the BSD process accounting tools, which were used to detect student's attempts to abuse the system... there were some rather surprised students who had their passwords locked out by the admins after attempting to bypass system security). > > While working on similar tools for other operating systems, such as > > Sun's Solaris and Microsoft's Windows NT--all of which contained an > > audit collection subsystem--the company realized the lack of this > > feature in Linux, and "thought something was missing," according to > > Purdie. > > Err, perhaps I am just out of the loop here, but what does Sun/Solaris > offer natively that Linux doesn't in the way of "audit collection > subsystems"? I haven't kept up with Solaris after 2.6 really but I > just don't see it offering that much more. Basically, Solaris has a nice user interface to the underlying Sys V.4 tools that provide the same basic functionality as the BSD process accounting tools used under Linux. You can produce pretty reports and graphs and such, if I recall correctly (it's been six months or so since I last touched a Solaris system). I believe they may even publish some of these via SNMP so that network monitoring tools such as Big Brother or CA Unicenter can monitor them. In any event, it is clear that we're talking about a user interface difference, rather than a functional difference. An article could be written about the importance of user interface and how it affects perceptions of operating systems, but such an article was not written. > Gah. It is clear to me that this is a total fluff piece that could > pass for a press release with a few minor changes. No background was > done, no experts consulted. It appears that her "expert" was a local "research" outfit (basically, the Aussie equivalent of IDG), rather than someone who has actually secured Linux systems. It appears that she did not do a basic web search to look for other Linux security systems and attempt to contact any of those other authors "on background" to verify that her tame talking mouthpiece at SNARE was spewing real info rather than marketing BS. It appears that she never went to http://www.linuxsecurity.com and clicked on the links there about other security products for Linux. Frankly, I was taught better in high school journalism class. > Oh, any insipid legal threats from Nicole Bellamy will be published > along with this errata. Since that seems to be her trend based on > talking to others. (For the ISN crowd: she has threatened to sick her > pet lawyers on someone who works in the open source community for > telling her this article was full of shit.) That sort of behavior is EXTREMELY unprofessional. You do not threaten to sue potential sources for future stories. And if someone offers you information, you accept it with a polite "thank you for your comments", even if the offer is in a rather, err, rude, manner. Frankly, I knew better than that when I was a 19 year old kid writing a computer club newsletter column. I've had my own run-ins with journalists in the past when I felt I was misquoted or that they misconstrued something about Linux, but at worst we agreed to disagree. I cannot imagine any situation where threatening to sue a critic is productive behavior for a journalist. After all, journalists have resort to the ultimate court: the court of public opinion, in which they have the capability of "stacking the deck" so to speak via the power of the pen. Do note, however, that Australia has very anti-free-speech libel laws. Basically, if you say anything critical of a person in Australia, you must be able to prove what you say beyond reasonable doubt. This is of course the total opposite of the United States, where the person suing for libel has the burden of proof, thus allowing greater freedom of speech. However, I have no intention to go anywhere near Australia (and in fact I suspect they would deny me a visa, due to my public criticisms of Aussie PM John Howard's bigotry and poor treatment of non-whites), so I don't care what Aussie law says. Eric Lee Green GnuPG public key at http://badtux.org/eric/eric.gpg mailto:ericat_private Web: http://www.badtux.org - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 09:02:34 PST