[ISN] Interview with Bob Toxen

From: InfoSec News (isnat_private)
Date: Tue Dec 17 2002 - 03:26:08 PST

  • Next message: InfoSec News: "[ISN] Microsoft again ups risk rating on an IE flaw"

    [Real World Linux Security 2/e by Bob Toxen is available at Amazon.com 
    for $34.99 - http://www.amazon.com/exec/obidos/ASIN/0130464562/c4iorg ]
    by Mirko Zorz 
    16 December 2002
    1. Who is Bob Toxen?
    I am cut from standard geek material. I love science fiction,
    especially Star Trek. From the time I was 14 I was hooked on
    computers. I was introduced to them with the APL language on the
    mighty IBM 360/91 at IBM's T.J. Watson Research Lab where my father
    was a research physicist.
    I have lots of electronic toys and have more computers in my house
    than I can count -- all running exclusively Linux. I love music,
    especially Gothic, Industrial, and Blues. I dabble in high voltage,
    pyrotechnics, and holography. For more excitement, I fly my plane, a
    Piper Arrow, around the Eastern United States and Canada.
    At Berkeley we competed for who had the best program, with the most
    features, most resistance to bad data, was written in the best style,
    and which ran the fastest. This was good practice for being a
    programmer and later for doing computer security. This obsession for
    quality seems universal among Linux developers and lacking in some
    proprietary software systems.
    I was one of the four programmers who ported Unix to the Silicon
    Graphics hardware for them. Later, I wrote a NFS server for Stratus'
    non-Unix operating system, debugging it with a LAN analyzer. I wrote
    several more network servers, one to track Space Shuttle payload data
    for NASA. This was good training for network security as I learned
    protocols down to the bit level. It enabled me to understand
    vulnerabilities and defenses down to this level too.
    How did you gain interest in computer security?
    I was a sophomore at the University of California, Berkeley in 1975
    when lots of exciting Unix work was being done. Unfortunately,
    undergraduates were not allowed to do Unix research at this public
    taxpayer-funded university by "the powers that be". Myself and a few
    friends solved this by breaking into the Unix system and conducting
    research without permission. Despite the best efforts of the
    SysAdmins, we did this for about three years straight until we
    finished school and headed for the salt mines of Silicon Valley.
    One of my original ideas was hacking the kernel so that instead of the
    erase character being a "#" character, erasing would generate the now
    universal backspace-space-backspace sequence to obliterate the now
    erased character. I did the same for line erase, replacing the "@"  
    character with however many backspace-space-backspace sequences were
    needed to erase the entire line on the screen. Doug Merritt helped
    with this work.
    I created the "lock" program to lock a terminal as a convenience over
    logging out to maintain security. I started enhancing the Unix Version
    6 shell before Bill Joy started on csh and Dr. Bourne did the Bourne
    Shell. Doug Merritt added vi-like editing to the shell. All of these
    things now are universal on Unix, Linux, and even Windows but we came
    up with the ideas.
    Our interest in security was to stay in control of the system to make
    improvements to it as well as the technical challenge. We never
    damaged anyone's data though the SysAdmins spent lots of time to try
    to get us out. They never caught Doug, Ross, or I, however hard they
    It was wrong for us to do this without permission and, instead, we
    should have found a sympathetic professor to arrange for us to get
    legitimate access. One of us (not the three named above) was arrested,
    spent a night in jail, and had to fight to avoid conviction due to our
    activities. This was my only less than white hat activity.
    What are your favourite security tools and why?
    IP Chains/IP Tables
    This is the "Killer App" that allowed Linux to be a good 
    Enterprise-class firewall. I find it far easier to configure than 
    Cisco's Pix, cheaper, and more versatile; IP Tables offers all of the 
    features that most organizations need.
    I wrote 60 pages on IP Tables in RWLS 2/e that includes "Tips and 
    Techniques" for easy rule set creation and debugging, a detailed 
    comparison of IP Tables with IP Chains, and complete IP Tables scripts 
    for SOHO and medium organizations that want a DMZ.
    Logcheck (my enhanced version)
    Logcheck takes the tedium out of properly checking your systems' log 
    files for attacks and illness. I find it better than other tools, such 
    as LogWatch, that either do not catch enough problems or do not 
    discard unimportant events. I recommend that anyone running LogWatch 
    immediately replace it with Logcheck.
    My enhancements including fitting each IP Chains/IP Tables entry on a 
    single line, being able to page the System Administrator for major 
    problems, and not repeating "Attack" entries in the "Violations" 
    section and not repeating "Violation" entries in the "Unusual" 
    section. This encourages one to read all sections, knowing that it 
    does not contain repeated data.
    This version is on the CD-ROM that comes with the book and has been 
    submitted back to Logcheck's original author.
    My own Adaptive Firewall
    It runs on top of IP Chains/Tables ("The Cracker Trap"). It locks an 
    attacking system out of one's network within a fraction of a second.
    Fyodor's wonderful tool allows a thorough analysis of a firewall, 
    network, or system very quickly and easily. Both SysAdmins and 
    crackers use it daily. I even use it to see if an e-commerce site has 
    made an effort to harden its server before I trust it with my credit 
    card number.
    Arpwatch (my enhanced version)
    This wonderful tool allows the SysAdmin to know when someone connects 
    a new system to the network or changes the IP address of an existing 
    system within seconds. This is critical to ensure that users do not 
    install "rogue" systems without authorization.
    It also is useful to detect if any systems become compromised. In the 
    latter case, the better crackers will change the system's IP address 
    to an unused one to make it harder to track down which system was 
    compromised. With Arpwatch, one will know which system was changed 
    unless the cracker changes both the IP address and MAC address 
    simultaneously. In this latter case one still will know that a rogue 
    system has appeared suddenly.
    Arpwatch was created by Craig Leres of Lawrence Berkeley Labs and I 
    have enhanced it extensively to be more useful for large networks with 
    multiple subnets and to properly detect bogons. Bogons are systems 
    whose IP address is incorrect for the network that they are on. Bogons 
    indicate systems that are incorrectly configured or compromised.
    This wonderful program allows fast real-time analysis of packets 
    traversing a system or network. It allows localizing a network or 
    firewall problem, verifying that a VPN actually is encrypting its 
    data, etc.
    How long did it take you to write "Real World Linux Security, 2/e" and 
    what was it like?
    It took about three months of 90-hour weeks to finish the manuscript 
    and a few months of "normal weeks" for the post-manuscript production 
    to produce the finished book. This was on top of about six months of 
    120-hour weeks to create the manuscript for the first edition and 
    three months for production.
    What was it like? Pure hell. I worked mostly at night because I am 
    more creative then and there were no interruptions for email or phone 
    calls. My friends thought I abandoned them because they never saw me 
    and I kept sending my girlfriend away for weekends, camping, to visit 
    her mother in Washington, DC, and elsewhere. My good friend, Stan 
    Bootle calls it "Writer's Widow".
    I slept very little. I did just enough for my clients so that they did 
    not find someone else to help them. This obsession resulted in a much 
    better book. I saw my contribution to Linux and Open Source was to 
    help secure it. While Linux (and Unix) is capable of very good 
    security, people did not know how. With my knowledge of security and 
    some ability to write I saw this as my greatest contribution to Open 
    Source. The book also is very useful to Unix System Administrators.
    What's your take on the adoption of Linux in the enterprise? Do you 
    think it will give a boost to security?
    Linux continues to "Eat Bill's lunch" and that of the Unix vendors. 
    With the desktop work that has been done recently and several 
    Distributions' work for easier installs, Linux is ready to take over 
    the desktop market too. I think that the poor economy internationally 
    has helped Linux.
    Any old PC can run Linux quickly for no money and troublefree 
    operation. The latter means far less support costs. Microsoft just 
    announced that it no longer will support its flagship Office for 
    previous Windows versions, to "force" people to buy its new stuff; I 
    think many will switch to Linux instead.
    SuSE just announced its Open Exchange product. There are several Open 
    Source Linux-based clients for MS Exchange. Almost everyone has heard 
    of Linux now. IBM advertises it on television. Non-geek friends want 
    to try it.
    What do you think about the full disclosure of vulnerabilities?
    Full disclosure of vulnerabilities forces vendors to fix their 
    security problems quickly and it counteracts the lies of insecure 
    vendors that their software is secure. This seems to be why Microsoft 
    is lobbying the U.S. government to outlaw full disclosure and 
    Hewlett-Packard (HP) is trying to imprison someone under DMCA who 
    disclosed HP vulnerabilities. It was disclosed only after HP refused 
    to acknowledge the problem or repair it.
    What are your future plans? Any exciting new projects?
    Since finishing the book two months ago, I have created a Linux-based 
    Enterprise-class Virus filter and Spam filter and installed them at 
    various clients. I am finishing an article on a novel way to trace 
    Distributed Denial of Service (DDoS) attacks so that they may be 
    stopped much faster. I am growing my network security consulting 
    What is your vision for Linux in the future?
    Linux will replace Windows and Unix as the universal operating system 
    for everything from embedded systems and PDAs to the biggest systems. 
    Linux's Open Source nature and the peer pressure from its users will 
    prevent Microsoft, IBM, or anyone else from forcing people to use 
    inferior proprietary software again.
    More governments will join China, France, and Mexico in officially 
    preferring Linux over Microsoft for its better quality and lower cost 
    of ownership. There is a Chinese edition of Real World Linux Security 
    from China Machine Press.
    People will have personal lives again rather than having to reinstall 
    their Windows systems or retype their documents every weekend 
    following crashes.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 13:15:02 PST