Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Slackware.com hacked (!)

By delmoi in News
Tue Jul 17, 2001 at 06:06:37 AM EST
Tags: Security (all tags)
Security

Just a little after 11:30 tonight slackware.com was defaced, with the simple message "NOT ONLY WINDOZE CAN BE HACKED!". The page now shows only a an empty page, content free save the title "slackware".


Now, to be honest, I do find this rather humorous. Linux/Unix boosters just love to point out how much more insecure Windows is, and how secure Linux is in comparison. The hackers message "Not only windows can be hacked." is one we should heed, just because you may have a secure OS doesn't necessarily mean you're going to be secure -- as was certainly the case with the Apache/sourceforge/linux.com fiasco a while back.

While the details about the slackware.com hack in are unavailable, we should let this serve as a reminder that the hubris of believing that we are totally secure is just that.

Also, it's pretty funny :P

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o slackware. com
o defaced
o Also by delmoi


Display: Sort:
Slackware.com hacked (!) | 20 comments (19 topical, 1 editorial, 0 hidden)
my thoughts... (3.20 / 10) (#1)
by rebelcool on Tue Jul 17, 2001 at 01:20:23 AM EST

I dont think linux is really all that more secure than windows. It mainly depends on two things: Configuration, and familiarity with the system.

Sure, holes can be left in the software itself, but this is rarely the reason for a hack. Open Source doesnt catch this kind of holes very well either, as that's only good if the hole can be easily spotted by the eye - most hacks, cannot be.

Linux is a very obscure system. Unless you're a god, you're going to have a hard time hacking it. Just from the arcane interface, security through obscurity IS a form of a security, and is certainly a reason why linux is hacked less. Windows is far easier to use.

Just some observations from someone whos administered servers from both sides...

COG. Build your own community. Free, easy, powerful. Demo site

Linux/Unix "boosters" (4.00 / 11) (#3)
by Sheepdot on Tue Jul 17, 2001 at 02:28:19 AM EST

I don't think that those that prefer a POSIX-compatible OS over Windows have ever officially released a statement declaring that Linux is more secure. However, I used to feel as you do, having used Win9* for years and generally seeing a lot of faults, especially security-wise with Linux.

The crux of the matter came when our Linux box at work was compromised and used for a DOS attack against an FBI server. I really loathed people that promoted POSIX-compatible OS's at that time.

But in all reality, my views have changed: I got a chance to see secure Linux boxen and the administrators (bright individuals like myself) that ran them. I installed LinuxPPC and was impressed. I compared Apache to IIS.

As a whole, I feel that if a company employs a *nix administrator, they are purchasing that person's ability to secure a server, be it for internal or external uses and more.

When hiring someone to do such a task, you're most likely hiring someone with such an extensive knowledge that the products you run are not the key focus. With Windows administration, you're simply hiring someone to run the latest patches and updates and hoping that they will do well. You're spending some money to purchase the products, and the rest of the money to pay a salary.

Granted, I've been that kind of employee (MS admin) for a while, and I do accomplish more than just updating server packages. I feel, however, that the amount of securing that I do is no where near the capacity that someone with a POSIX-compatible OS is going to do. Nor am I fully able to secure a Windows server in such a way that a Linux administrator can secure his/hers.

For that reason, I feel that security is relevant only according to who is doing the actual securing, and not always the product that is being used.

And in all honesty, for price to security comparisons, free *nix does really well.


Security (3.66 / 3) (#4)
by Lance on Tue Jul 17, 2001 at 05:42:37 AM EST

No computer system is completely secure. To achieve this, you would have to disconnect the computer's network connection. Then, of course, there is the issue of physical security.

Out of the box, Unix has traditionally been rather insecure (Linux is no exception). For example, services such as finger, netstat, ftp, and so on, are enabled by default. In fact, I'd even say that Windows 2000 is more secure than a straight Linux install. However, if configured properly by someone who knows that they are doing, Unix can be a very secure OS. It all comes down to the competence of the admin.

As for slackware.com, a portscan on their webserver reveals that ports such as telnet, time, and shell are open. Why these services are running on a webserver is beyond me.

Hackable Out Of The Box! (2.66 / 6) (#5)
by ZorbaTHut on Tue Jul 17, 2001 at 06:09:41 AM EST

Whenever someone's ranting to me about how Linux is always more secure than Windows, I feel obliged to point out that I don't know a single Linux installation that isn't hackable on a default setup.

Telnet.

Really, how many Linux boxes come with Telnet hooked straight into a login prompt, and then straight to su? And how many Windows boxes have telnet logins at *all*?

Speaking from the perspective of someone who needed to play with a Windows box remotely for legit reasons, it's actually really really hard to get in - you need software setup beforehand to do it. Linux doesn't have this advantage ;)

(don't get me started on my "multiple users" rant)

disclaimer: I wouldn't want to run a Windows server. But Linux is *not* a user-level OS.

This is true (3.00 / 1) (#9)
by Colonol_Panic on Tue Jul 17, 2001 at 10:09:36 AM EST

While your OS choice is the ultimate limiting factor in security, if you don't know how to admin a box you will be cracked no matter what OS you use. Of course, most of us probably knew that already.
Here's my DeCSS mirror. Where's Yours?
[ Parent ]
Red Hat Default (4.00 / 2) (#10)
by kostya on Tue Jul 17, 2001 at 10:21:23 AM EST

Really, how many Linux boxes come with Telnet hooked straight into a login prompt, and then straight to su? And how many Windows boxes have telnet logins at *all*?

Ok, this is just too funny. Your trolling, right?

  1. Red Hat and other do have telnet installed, but they do not allow root access via telnet
  2. Technically, su is accessible from telnet, ssh, the terminal, you name it. But then, you can login as effectively a root user on any Win9x box just by turning it on--so what's your point?
  3. Telnet does not exist for Windows because windows is not designed to be a multi-user server machine--but that is changing in the latest versions of windows. Newest versions have the ability for multiple users to be logged in and running software.
  4. Latest versions of Red Hat do not have telnetd installed by default or running by default unless you choose server--and even then you still don't have root access via telnet. They now all come with openssh.

disclaimer: I wouldn't want to run a Windows server. But Linux is *not* a user-level OS.

What exactly is that supposed to mean? Linux is not a user-level OS ... because it is designed to be a multi-user/server system? That's good logic: I guess since Windows is designed to be a single-user system, it therefore makes a poor server OS. But then, we knew that already ;-)



----
Veritas otium parit. --Terence
[ Parent ]
telnet for windows? (none / 0) (#13)
by delmoi on Tue Jul 17, 2001 at 11:50:01 AM EST

Telnet does not exist for Windows because windows is not designed to be a multi-user server machine--but that is changing in the latest versions of windows. Newest versions have the ability for multiple users to be logged in and running software.

really?
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
"Exists" as in ... (none / 0) (#14)
by kostya on Tue Jul 17, 2001 at 12:12:07 PM EST

... "a part of the default distribution or installed with a standard installation."

I am well-aware that telnet products or telnet-like products exist. But when you buy a computer from dell, it does not come with a telnet server.

I think you knew that too.



----
Veritas otium parit. --Terence
[ Parent ]
Well, you're still wrong (none / 0) (#15)
by delmoi on Tue Jul 17, 2001 at 06:25:17 PM EST

Telnet comes as a standard part of windows2000. All I had to do was go to the control pannel and turn it on.
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
Well, then I guess your right! (none / 0) (#17)
by kostya on Tue Jul 17, 2001 at 10:03:03 PM EST

I was referring to the Win 9x series, so I'm not surprised I missed the exact facts of 2000. Thanks for correcting me.

----
Veritas otium parit. --Terence
[ Parent ]
Not Hackable out of the Box (4.00 / 2) (#11)
by lb008d on Tue Jul 17, 2001 at 11:30:00 AM EST

Shameless advocacy, but......

OpenBSD hasn't been remotely hackable out of the box for a while now - they've got the right philosophy in my opinion. Turn almost everything off by default and let the admin screw the machine up. I believe only ssh is allowed after you do a fresh install.

The default install is also quite minimalistic. And don't forget the code audit!

[ Parent ]
telnet != hackablity (3.00 / 2) (#12)
by delmoi on Tue Jul 17, 2001 at 11:47:29 AM EST

Just having telnet doesn't make you hackable. You'll still need passwords, and if someone is sniffing on the network you'll still need to actually log on.

Surely you aren't suggesting that merely having telnet installed on the hard drive could cause a problem, are you?

Actualy, win2k comes with telnet, but you need to enable it manualy
--
"'argumentation' is not a word, idiot." -- thelizman
[ Parent ]
Security concern (none / 0) (#20)
by ZorbaTHut on Sat Aug 04, 2001 at 05:53:45 AM EST

No, of course not. But any way to log in is a potential vulnerability. If there's a bug in it, even a DNS server could give you root access. There are a LOT of programs on a Linux box that could be hacked. And a lot of installations set them all up by default. Yes, I realize that they're all *probably* safe, but what happens when some clever hacker finds a vulnerability in, say, all versions of Apache? Most Linux installations - even those that have nothing to do with webserving! - are vulnerable, because most Linux installations come with Apache preinstalled. And the Average User simply doesn't care, and won't until all their documents are gone. If the hacker does that, and doesn't just set up that box as a DDoS relay or something - then they won't care until the cops show up, and probably not even then, except to save their own posteriors.

[ Parent ]
Not only windoze can be hacked... (2.40 / 5) (#6)
by WWWWolf on Tue Jul 17, 2001 at 06:57:06 AM EST

Not only Windows can be hacked, it can actually be used for actual work.

However, I don't think putting that comment to slackware.com helps the cracker agenda. This thing is self-evident, because that is one of the main goals of operating systems - extendability and practicality. Yes, Linux can be used for both, too.

=)

-- Weyfour WWWWolf, a lupine technomancer from the cold north...


So? (3.80 / 5) (#7)
by sneakcjj on Tue Jul 17, 2001 at 08:24:41 AM EST

Absolutely nothing is completely secure so get over it. More importantly, "More secure" does not mean "COMPLETELY secure". The same people who believe that are the people who get a big mac, large fries and a diet coke so they feel good about watching calories.

Funny Hackers (3.50 / 2) (#8)
by retinaburn on Tue Jul 17, 2001 at 08:29:47 AM EST

Sounds like another humorous hack along the lines of Evil Angelica.

I think that we are a young species that often fucks with things we don't know how to unfuck. -- Tycho


And every fucking time.. (none / 0) (#16)
by Inoshiro on Tue Jul 17, 2001 at 09:42:45 PM EST

Someone says "X is more secure than Y," I say "it's the motherfucking administrators." There are certain kinds of cars which are more prone to accidents, but no one seems to lose sight of the people behind the wheel there.

OpenBSD has few security problems out of box, but the install is so hard to the newbie admin that needs to set something up, that it's not useful. If they don't give up and install RedHat, they will just enable WuFTPD anyways. Similarly, a person skilled and educated about security can do their best to ensure your Win2k IIS boxs is rock solid, security wise.

You need to not focus on the OS, as the OS merely lends itself to the user in different ways. It's all the fault of the administrator or user when their server or workstation has a security issue. If you're not knowledgeable, or have not taken the time to become knowledgeable, about security -- you are the main one at fault when some script kiddy attacks your servers.

And let's not forget that there is also a small window between a new vulnerablility being posted to Bugtraq, and your admin handling it. That's a bit different. So is a proper, concereted attack by a person skilled in the arts of breakins probing your system and developing new attacks to deal with your security measures.



--
[ イノシロ ]
Security In A Nutshell (none / 0) (#18)
by PsychoFurryEwok on Wed Jul 18, 2001 at 12:21:36 AM EST

I've been working with security for jsut about a year now and am still gathering knowledge about everything. What I've discovered through my security experiences and usage of almsot every OS is that NOTHING IS SECURE. THERE IS A WAY TO CRACK EVERYTHING! It may take a bit more thinking...but it can be done. The reason why this mentality that Windows is "the suck", etc. Is that it's GUI always crashes and it's dll's screw over and it's overall a trouble maker by design. When in fact, it's just about as secure. If they'd fix their stupid mistakes before release, it'd be just as good as any linux distribution. I can't tell if I just mumbled off here...maybe I should jsut post this before my head spins more........

defaced, not hacked (none / 0) (#19)
by dof on Thu Jul 19, 2001 at 06:32:26 PM EST

Official statement (By Chris Lumens) here

Hope that lets a few people sleep easier..

dof.
http://www.codepoets.co.uk

Slackware.com hacked (!) | 20 comments (19 topical, 1 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!