[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

BrickHouse Beta Linux article (fwd)

Has anyone else seen this? Just how secure is it?

_-_-_-_-_-   Author of "The Debian Linux User's Guide"  _-_-_-_-_-_-

aka   Dale Scheetz                   Phone:   1 (850) 656-9769
      Flexible Software              11000 McCrackin Road
      e-mail:  dwarf@polaris.net     Tallahassee, FL  32308

_-_-_-_-_-_- If you don't see what you want, just ask _-_-_-_-_-_-_-

---------- Forwarded message ----------

Subject: From April 26 PC Week

               The Web server that
               stopped the big bad wolves
               By Scot Petersen
               April 26, 1999 9:00 AM ET
                           This story goes back to last year's
                           attack on The New York Times Web
                           site by the notorious HFG (Hacking for
                           Girliez) gang, the champions of hacking
                           for malicious sport. One of the targets
                           of that attack and subsequent related
               attacks was Carolyn Meinel, aka The Happy Hacker,
               who now thinks she may have found the first
               unbreakable Web server.
               Meinel, an engineer and author, is a good, or ethical,
               hacker. She is reviled by bad hackers because she
               writes about hacking and gives away secrets in the
               name of improving security. To groups like HFG, which
               have hacked her sites and service providers many
               times, she's the Antichrist.
               Meinel runs happyhacker.org, a site that serves as an
               educational oasis for hacker wanna-bes. She also
               hosts hacking "war games" in cooperation with another
               security site, AntiOnline (antionline.com), in which a
               Web server is put up and hackers are dared to break in.
               Enter Vincent Larsen, aka Evil Kernel, a developer for
               SAGE (Systems Advisory Group Enterprises) Inc., of
               Amarillo, Texas. Larsen, a Unix guru who also gained a
               reputation with HFG, is the creator of the new
               BrickHouse Web server. The Linux-based system is
               now hosting the Happy Hacker site and the BrickHouse
               open root shell contest. So far, it has stumped hacking
               experts of all ilks.
               Some background: Linux has a user-based security
               model, which grants users access depending on who is
               authorized to operate the system. But if a hacker can
               fool the computer into thinking he is the root, or master
               user, he can make the machine do anything he wants.
               Traditionally, developers have put the onus of security
               on the Web server, not the underlying operating
               system. Larsen's idea: Change the OS security model
               and take advantage of Linux's open source code. He
               ripped out Linux's security kernel, rewrote it "180
               degrees" and made access dependent on processes
               running on the system, rather than on the user. This
               model prevents one application from meddling with data
               from another app. In other words, you'd only be able to
               do what the application can do. Then Larsen simply
               wrote an HTTP server to run on top of the new Linux
               Ironically, the Web server application itself is not secure
               at all. If you ran it on another Unix OS, "traditional Unix
               server people would blast holes in it," Larsen said. With
               Linux and BrickHouse together, SAGE (at thirdpig.com,
               get it?) plans to ship this quarter a "black box" Web
               server that promises businesses will be able to live
               happily ever after.
               It's a challenge hackers live for, but so far, Meinel's site
               and its war games server, running a BrickHouse beta,
               have been untouchable. As a final insult, the war games
               server is open to anyone. Hackers are given free
               access and a password. It's just that, once in, they
               can't change anything.
               "It's the most public and intense beta test in history of a
               security product," Meinel said. "If he fails, everybody
               would know it."
               So go ahead, hackers, make their day.

Reply to: