Re: [CentOS] bounties for exploits against CentOS?
On 01/17/2012 12:13 PM, Bennett Haselton wrote: > On 1/17/2012 9:25 AM, Les Mikesell wrote: >> On Tue, Jan 17, 2012 at 11:12 AM, Bennett Haselton >> wrote: >>> Pretty much all software testing is predicated on this notion -- that as >>> you find and fix more bugs (of any kind, not just security bugs), >>> eventually the mean time to find the next bug should get larger. >>> Otherwise, what's the point, if at the end of all your testing and >>> fixing, users keep running into bugs at the same frequency as before? >> Look though the changelogs of any major application or the kernel >> itself. See if it looks like the world is running out of bugs. >> > Well if the software itself is constantly being modified in other ways > (addition of new features) then of course you'll never run out of new > bugs either :) But even for software where the features are frozen, bugs > in a given category should eventually get harder to find, and/or should > be less severe than at the beginning of the cycle (which seemed to be > the case whenever I worked in testing). > > If this were not the case, then what would even be the point of doing > any testing and bug-fixing at all? Unless you expect that eventually > the remaining bugs become rarer or less severe. Regardless, CentOS would not be publishing said Bug Fixes except for items in our extras or plus repositories. CentOS builds the upstream sources directly whenever possible. We only make modifications when required to do so for Branding reasons ... or if something needs to be added to get the build correct, etc. Therefore, any "bugfix" changes would need to be made by Red Hat to the RHEL source code, which would then trickle down into CentOS, since we build the upstream EL sources. If one wanted to offer bounties to find and fix issues, and then submit that info to the upstream RH bugzilla, I am sure they would appreciate it. CentOS does make upstream Red Hat bugzilla entries all the time when we get issues reported to us that are valid and in the upstream code. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
On 1/17/2012 9:25 AM, Les Mikesell wrote: > On Tue, Jan 17, 2012 at 11:12 AM, Bennett Haselton > wrote: >> Pretty much all software testing is predicated on this notion -- that as >> you find and fix more bugs (of any kind, not just security bugs), >> eventually the mean time to find the next bug should get larger. >> Otherwise, what's the point, if at the end of all your testing and >> fixing, users keep running into bugs at the same frequency as before? > Look though the changelogs of any major application or the kernel > itself. See if it looks like the world is running out of bugs. > Well if the software itself is constantly being modified in other ways (addition of new features) then of course you'll never run out of new bugs either :) But even for software where the features are frozen, bugs in a given category should eventually get harder to find, and/or should be less severe than at the beginning of the cycle (which seemed to be the case whenever I worked in testing). If this were not the case, then what would even be the point of doing any testing and bug-fixing at all? Unless you expect that eventually the remaining bugs become rarer or less severe. Bennett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
On Tue, Jan 17, 2012 at 11:12 AM, Bennett Haselton wrote: > > Pretty much all software testing is predicated on this notion -- that as > you find and fix more bugs (of any kind, not just security bugs), > eventually the mean time to find the next bug should get larger. > Otherwise, what's the point, if at the end of all your testing and > fixing, users keep running into bugs at the same frequency as before? Look though the changelogs of any major application or the kernel itself. See if it looks like the world is running out of bugs. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
On 1/17/2012 8:11 AM, Les Mikesell wrote: > On Tue, Jan 17, 2012 at 9:04 AM, Bennett Haselton > wrote: >> But there seems to be some consensus, at least, that exploits do get >> found which allow apache to run arbitrary code (even under its >> unprivileged account), > Web servers are particularly prone to this because webapps are > typically designed to map user input to some action in a fairly > flexible way (i.e.by mapping the URL to a program and its inputs) and > people can easily manipulate the URLs they send. That leaves a lot of > levels where buffer overflows or mis-parsing can let unintended code > execute. > >> and exploits do get found that elevate an >> unprivileged user to root privileges. > And it is best to assume that there are more that haven't been found... > >> So you could offer, for example, >> a bounty for anyone who finds a way to elevate the privilege of an >> unprivileged account. That's a lot less powerful than a complete >> exploit that can be used against any server on the Internet, but it's >> the kind of thing an attacker might use as part of a larger exploit. So >> would you feel safer using CentOS/Red Hat if Red Hat, for example, >> offered a prize to anyone who could find a privilege-escalation exploit >> like that? Knowing that it would reduce the chance of a black hat >> finding the exploit and using it as part of an attack? > You'll never know when the last bug is found. Well I'm assuming there is no "last bug"; rather, that as more and more bugs are found and fixed, the mean time to find the next one will get measurably larger. Pretty much all software testing is predicated on this notion -- that as you find and fix more bugs (of any kind, not just security bugs), eventually the mean time to find the next bug should get larger. Otherwise, what's the point, if at the end of all your testing and fixing, users keep running into bugs at the same frequency as before? The idea is that if you find and fix enough of them, eventually the mean time to find the next one, and hence the cost of finding the next one, will exceed the black-market value of the exploit, so it's no longer profitable for black hats to go looking for them. On the other hand, it is conceivable that above a certain effort-threshold, the number of exploits to be found is essentially unlimited. Maybe at the $25,000 level, the number of bugs to be found is so large, that no matter how many are found and fixed, the mean time to find the next one will always average about $25,000. Meanwhile, if the black-market value of an exploit is more than that (say, $50,000), then the black hats will *never* run out of exploits. This would have the unfortunate implication that not only is there no point in paying out bounties at that level (since it wouldn't make it any harder for a black hat to find a new exploit), but there would be no point in finding and fixing exploits at that level at all (unless you know a particular exploit is being used in the wild) -- since it will never get any harder for a black hat to find one! > And if you don't know > that, what have you gained by painting a target on your head? > ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
On Tue, Jan 17, 2012 at 9:04 AM, Bennett Haselton wrote: > > But there seems to be some consensus, at least, that exploits do get > found which allow apache to run arbitrary code (even under its > unprivileged account), Web servers are particularly prone to this because webapps are typically designed to map user input to some action in a fairly flexible way (i.e.by mapping the URL to a program and its inputs) and people can easily manipulate the URLs they send. That leaves a lot of levels where buffer overflows or mis-parsing can let unintended code execute. > and exploits do get found that elevate an > unprivileged user to root privileges. And it is best to assume that there are more that haven't been found... > So you could offer, for example, > a bounty for anyone who finds a way to elevate the privilege of an > unprivileged account. That's a lot less powerful than a complete > exploit that can be used against any server on the Internet, but it's > the kind of thing an attacker might use as part of a larger exploit. So > would you feel safer using CentOS/Red Hat if Red Hat, for example, > offered a prize to anyone who could find a privilege-escalation exploit > like that? Knowing that it would reduce the chance of a black hat > finding the exploit and using it as part of an attack? You'll never know when the last bug is found. And if you don't know that, what have you gained by painting a target on your head? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
> Well one of the lessons of the recent threads seems to be that there is > a lot of disagreement over what constitutes a "misconfigured server". > Some people consider a server misconfigured if it doesn't use a firewall > to limit access to sshd, some people consider it misconfigured if sshd > uses passwords instead of keys, some people consider the server > misconfigured if it doesn't use SELinux, etc. Because there are > mutually contradictory definitions of "misconfigured", if you find out > that a server was broken into you can always come up with a reason, > after the fact, why the server should be considered "misconfigured", > depending on whose definition you use. Well, first you need to select security baseline and apply it to server. (for example: http://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL_5.0-5.1_Benchmark_v1.1.2.pdf) > > But there seems to be some consensus, at least, that exploits do get > found which allow apache to run arbitrary code (even under its > unprivileged account), and exploits do get found that elevate an > unprivileged user to root privileges. So you could offer, for example, > a bounty for anyone who finds a way to elevate the privilege of an > unprivileged account. That's a lot less powerful than a complete > exploit that can be used against any server on the Internet, but it's > the kind of thing an attacker might use as part of a larger exploit. So > would you feel safer using CentOS/Red Hat if Red Hat, for example, > offered a prize to anyone who could find a privilege-escalation exploit > like that? Knowing that it would reduce the chance of a black hat > finding the exploit and using it as part of an attack? well, not really. -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
On 1/16/2012 3:13 PM, Eero Volotinen wrote: >> Well I wasn't necessarily advocating it here, just asking whether people >> would feel more or less secure using CentOS if such a prize program >> existed (whether run by CentOS or RHEL), and why or why not. > Well, no. > > Usually attacks to system are caused by misconfiguration of server or > firewall or bugs in web applications *) > > *) https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Well one of the lessons of the recent threads seems to be that there is a lot of disagreement over what constitutes a "misconfigured server". Some people consider a server misconfigured if it doesn't use a firewall to limit access to sshd, some people consider it misconfigured if sshd uses passwords instead of keys, some people consider the server misconfigured if it doesn't use SELinux, etc. Because there are mutually contradictory definitions of "misconfigured", if you find out that a server was broken into you can always come up with a reason, after the fact, why the server should be considered "misconfigured", depending on whose definition you use. But there seems to be some consensus, at least, that exploits do get found which allow apache to run arbitrary code (even under its unprivileged account), and exploits do get found that elevate an unprivileged user to root privileges. So you could offer, for example, a bounty for anyone who finds a way to elevate the privilege of an unprivileged account. That's a lot less powerful than a complete exploit that can be used against any server on the Internet, but it's the kind of thing an attacker might use as part of a larger exploit. So would you feel safer using CentOS/Red Hat if Red Hat, for example, offered a prize to anyone who could find a privilege-escalation exploit like that? Knowing that it would reduce the chance of a black hat finding the exploit and using it as part of an attack? Bennett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
On 01/16/2012 12:34 PM, Bennett Haselton wrote: > With companies like Facebook and Google offering cash prizes for people > who can find security holes in their products, has there ever been any > consideration given to offering cash rewards to people finding security > exploits in CentOS or in commonly bundled services like Apache? > (Provided of course they follow "responsible disclosure" and report the > exploit to the software authors and get it fixed.) > > Obviously the benefit would be that it would increase the chance of a > white hat finding and fixing an exploit, before a black hat discovered > the same one and used it to attack people's servers. Would there be any > other downsides, other than the cost of paying out the prize? > > I've heard some objections from companies over the years who didn't want > to institute a "prize program", but I thought some of those objections > didn't make much sense (and indeed some of those companies ended up > instituting a prize program after all, a few years later). For example, > some people said, "This just encourages people to find exploits and then > they might use those exploits to do harm." (The problem with this is if > someone has sufficient black-hat incentives for finding an exploit -- > either to do malice, or more likely to sell it on the black market -- > those incentives *already* exist, so the prize program wouldn't create > any additional incentive to use an exploit illegally.) Would you feel > safer using CentOS if a bounty program encouraged people to report > exploits to the project? Why or why not? I think I would, for the > stated reason -- newly discovered exploits are more likely to get > reported and fixed, than to be used in the wild. But I'd be curious why > anyone might feel less safe if such a program existed. > > On a related question, suppose that instead of paying for generic > exploits against the operating system, you as a webmaster had the option > of adding your website to a directory of "bounty" sites, where you would > have to put up a bond of $100 to join. Then anyone who could prove that > they broke into your server (let's say the "proof" is that they read a > world-readable file in the root directory) would collect the $100 prize, > if they can describe exactly how they did it and what you need to fix to > prevent the attack in the future. That way, if there's ever a weakness > in your server, it's more likely to be found by a white hat and reported > to you directly so you can fix it, before a black hat finds the same > weakness. Would you sign up your webserver? I think I would, and I > believe I'd be reducing the risk of a black-hat breakin as a result, but > there may be counter-arguments that I'm not thinking of. > > For the record ... Facebook USES CentOS signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
> > Well I wasn't necessarily advocating it here, just asking whether people > would feel more or less secure using CentOS if such a prize program > existed (whether run by CentOS or RHEL), and why or why not. Well, no. Usually attacks to system are caused by misconfiguration of server or firewall or bugs in web applications *) *) https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project -- Eero ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
On 1/16/2012 12:12 PM, John R Pierce wrote: > On 01/16/12 10:34 AM, Bennett Haselton wrote: >> With companies like Facebook and Google offering cash prizes for people >> who can find security holes in their products, has there ever been any >> consideration given to offering cash rewards to people finding security >> exploits in CentOS or in commonly bundled services like Apache? > companies like facebook and google have significant(!!) cash flow. > centos is a volunteer project. from where would this prize money come? > > you'd do better addressing this question to Redhat Enterprise Linux, > anyways, since CentOS's goal is to be a near exact copy, bugs and warts > included. Well I wasn't necessarily advocating it here, just asking whether people would feel more or less secure using CentOS if such a prize program existed (whether run by CentOS or RHEL), and why or why not. Bennett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] bounties for exploits against CentOS?
On 01/16/12 10:34 AM, Bennett Haselton wrote: > With companies like Facebook and Google offering cash prizes for people > who can find security holes in their products, has there ever been any > consideration given to offering cash rewards to people finding security > exploits in CentOS or in commonly bundled services like Apache? companies like facebook and google have significant(!!) cash flow. centos is a volunteer project. from where would this prize money come? you'd do better addressing this question to Redhat Enterprise Linux, anyways, since CentOS's goal is to be a near exact copy, bugs and warts included. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] bounties for exploits against CentOS?
With companies like Facebook and Google offering cash prizes for people who can find security holes in their products, has there ever been any consideration given to offering cash rewards to people finding security exploits in CentOS or in commonly bundled services like Apache? (Provided of course they follow "responsible disclosure" and report the exploit to the software authors and get it fixed.) Obviously the benefit would be that it would increase the chance of a white hat finding and fixing an exploit, before a black hat discovered the same one and used it to attack people's servers. Would there be any other downsides, other than the cost of paying out the prize? I've heard some objections from companies over the years who didn't want to institute a "prize program", but I thought some of those objections didn't make much sense (and indeed some of those companies ended up instituting a prize program after all, a few years later). For example, some people said, "This just encourages people to find exploits and then they might use those exploits to do harm." (The problem with this is if someone has sufficient black-hat incentives for finding an exploit -- either to do malice, or more likely to sell it on the black market -- those incentives *already* exist, so the prize program wouldn't create any additional incentive to use an exploit illegally.) Would you feel safer using CentOS if a bounty program encouraged people to report exploits to the project? Why or why not? I think I would, for the stated reason -- newly discovered exploits are more likely to get reported and fixed, than to be used in the wild. But I'd be curious why anyone might feel less safe if such a program existed. On a related question, suppose that instead of paying for generic exploits against the operating system, you as a webmaster had the option of adding your website to a directory of "bounty" sites, where you would have to put up a bond of $100 to join. Then anyone who could prove that they broke into your server (let's say the "proof" is that they read a world-readable file in the root directory) would collect the $100 prize, if they can describe exactly how they did it and what you need to fix to prevent the attack in the future. That way, if there's ever a weakness in your server, it's more likely to be found by a white hat and reported to you directly so you can fix it, before a black hat finds the same weakness. Would you sign up your webserver? I think I would, and I believe I'd be reducing the risk of a black-hat breakin as a result, but there may be counter-arguments that I'm not thinking of. Bennett ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
