BrickHouse Beta Linux article (fwd)
Has anyone else seen this? Just how secure is it?
Dwarf
--
_-_-_-_-_- Author of "The Debian Linux User's Guide" _-_-_-_-_-_-
aka Dale Scheetz Phone: 1 (850) 656-9769
Flexible Software 11000 McCrackin Road
e-mail: dwarf@polaris.net Tallahassee, FL 32308
_-_-_-_-_-_- If you don't see what you want, just ask _-_-_-_-_-_-_-
---------- Forwarded message ----------
Subject: From April 26 PC Week
E-volution
The Web server that
stopped the big bad wolves
By Scot Petersen
April 26, 1999 9:00 AM ET
This story goes back to last year's
attack on The New York Times Web
site by the notorious HFG (Hacking for
Girliez) gang, the champions of hacking
for malicious sport. One of the targets
of that attack and subsequent related
attacks was Carolyn Meinel, aka The Happy Hacker,
who now thinks she may have found the first
unbreakable Web server.
Meinel, an engineer and author, is a good, or ethical,
hacker. She is reviled by bad hackers because she
writes about hacking and gives away secrets in the
name of improving security. To groups like HFG, which
have hacked her sites and service providers many
times, she's the Antichrist.
Meinel runs happyhacker.org, a site that serves as an
educational oasis for hacker wanna-bes. She also
hosts hacking "war games" in cooperation with another
security site, AntiOnline (antionline.com), in which a
Web server is put up and hackers are dared to break in.
Enter Vincent Larsen, aka Evil Kernel, a developer for
SAGE (Systems Advisory Group Enterprises) Inc., of
Amarillo, Texas. Larsen, a Unix guru who also gained a
reputation with HFG, is the creator of the new
BrickHouse Web server. The Linux-based system is
now hosting the Happy Hacker site and the BrickHouse
open root shell contest. So far, it has stumped hacking
experts of all ilks.
Some background: Linux has a user-based security
model, which grants users access depending on who is
authorized to operate the system. But if a hacker can
fool the computer into thinking he is the root, or master
user, he can make the machine do anything he wants.
Traditionally, developers have put the onus of security
on the Web server, not the underlying operating
system. Larsen's idea: Change the OS security model
and take advantage of Linux's open source code. He
ripped out Linux's security kernel, rewrote it "180
degrees" and made access dependent on processes
running on the system, rather than on the user. This
model prevents one application from meddling with data
from another app. In other words, you'd only be able to
do what the application can do. Then Larsen simply
wrote an HTTP server to run on top of the new Linux
kernel.
Ironically, the Web server application itself is not secure
at all. If you ran it on another Unix OS, "traditional Unix
server people would blast holes in it," Larsen said. With
Linux and BrickHouse together, SAGE (at thirdpig.com,
get it?) plans to ship this quarter a "black box" Web
server that promises businesses will be able to live
happily ever after.
It's a challenge hackers live for, but so far, Meinel's site
and its war games server, running a BrickHouse beta,
have been untouchable. As a final insult, the war games
server is open to anyone. Hackers are given free
access and a password. It's just that, once in, they
can't change anything.
"It's the most public and intense beta test in history of a
security product," Meinel said. "If he fails, everybody
would know it."
So go ahead, hackers, make their day.
Reply to: