Nailing shut the cyber back door

If there's a stereotype for a hacker, Jay Beale isn't it.

Mild-mannered and somewhat shy, Beale--like many hackers of the old school--has made a name for himself at a young age. As the leader of the Bastille Linux Project, an open-source endeavor to make Linux systems more secure by automating the patching process, Beale, 26, is well-known in the Linux community and security circles.

CNET News.com talked with Beale at the Black Hat Security Briefings in Las Vegas earlier this month.

His message: Making it easier for system administrators to secure their systems is extremely important. With Code Red and many other worms automatically exploiting known holes in systems, removing system vulnerabilities as quickly as possible gains new importance.

Q: How did you get interested in security?
A: I got into security because I was a junior-level system administrator at a math department at a university. I was just learning about system administration. It was my first job. I was having a lot of fun. I was learning everything under the sun. I was chomping through books. And I learned a bunch about security, and I started comparing it to our practices. And I said, "Oh my God. We are completely screwed." And my boss said, "Yeah, yeah. That's not a big deal. We are just a math department. We got to do this other stuff."

Well, the other stuff was really boring, but I did the other stuff, and I kept saying we really should do something. Shortly thereafter, I left for greener pastures. And around the same time or shortly before, the math department started getting hacked about once every two weeks. It was almost like clockwork. And it was all over the place, machines all over the place. I'm not sure--they still might have the same problem, because they'd not taken the time to do security.

Did your next job take security more seriously?
Well, when I got to my next job, they were hiring me as a system administrator. And they said, "I see you have some interest in doing security." And I said, "Well, not really. It was something that I wanted to do at my last job because they were pretty screwed." And he said, "Why don't you try a few things that we wanted to do. It should take you about four months to do this entire list."

Well, the four months went by and the stuff they wanted got done, but the list was longer by then. And a year later I was still working on stuff on the list, and I just ended up finding myself in security. But I was having an amazingly fun time and hopefully doing some real good for our networks.

Is that what became the Bastille Linux script? That you automated the list?
No, what happened is that at some point I started automating stuff for this place and they were running Suns. And I wrote a hardening script that was really, really basic, and it wasn't really extensible at all, but it did the job.

And later on, some people were trying to make a better distribution, and they were calling it Bastille Linux Project; I didn't actually start the project. They started at a SANS conference in July of '99, and three months later it hadn't really gotten anywhere. It never really took off; it's a huge amount of work to create a distribution.

What happened after that?
Basically, they underestimated how much work it was. When they realized it was way too much work, they deciced to take an existing approach, take an existing distribution and make it a better distribution. They realized they didn't have to do it from scratch, but just change 5 percent or 10 percent of the settings.

So they started looking for some scripts, and I saw that and really wanted to start an open-source project. John Lasser was the guy who gave me my first Linux CDs; he was running the project and I drove down to see him. He told me what he was looking to do, and I thought, "Cool."

So I wrote a spec, and a whole bunch of people started helping us test immediately. Then someone submitted a firewall, and we have some others who are contributing stuff right now.

What do you run under?
Right now we are working on Red Hat and Mandrake, and we are going to go for some more. There are lots of systems running HP-UX, so we are working with them. And I would love to see us work on Solaris and AiX, to protect as much of the mainstream server market as possible

What about a Windows version?
I'm not really amazingly interested in working with Windows, but I would love to talk to someone who is.

It's not about security--it's about risk management. Is that how everyone has to think about it?
I think that's stating the obvious, and I also think that's wholly right. A lot of us security types, especially when we first start out, we want to do everything. I'm going to completely harden all the systems. I'm going to completely secure the network. And all of a sudden, you start shooting yourself in the foot. You are going overboard.

And security goes out the door, right?
You are making the network unusable, and when you make the network unusable or the computer unusable, your users will rebel. And they'll make the situation worse than it ever was.

A great example is in an organization where they say you have to have a 48-character password and it can't have any words in it. Well, everyone will do exactly what I would probably do in that situation, which is come up with a password and write it down.

And now we've got all these written-down passwords, and maybe I'm using the same password across all these systems. And that's not so good. Because when I use the password, I'm using it on the insecure systems outside my organization--the same one I'm using on the secure systems.

What the penetration testers will tell you is that as soon as any of them get a password, they immediately try them everywhere they see the person using machines. If I can steal the password from your toaster one day, I am going to try that on your top-secret machines at work.

So is security getting better? Is it getting worse?
The thing is, everyone keeps talking about this whole better and worse thing. And a bunch of us keep trying out whether we are getting better or worse, and we can't ever figure it out. We keep trying to draw up spreadsheets, and we are not getting anywhere. Because we say, "OK, we are getting better; we got a bunch of cool technologies. People are making great technologies. Finally, we are getting some of them deployed. We are finally winning the battle where we're getting everyone to deploy a firewall." It's kind of sad, because firewalls have been around for a while.

What other technologies are being used?
(Intrusion detection systems) are picking up. We are finally getting some good technology out. Some people are coming up with some of this trusted operating stuff. The secure operating systems are actually starting to see some wider use and exploration. NSA's SE Linux looks cool as hell.

Other people have done variants on this. Just basically doing security in the kernel where it wasn't ever done before--or where it never took off. One example that's great is WireX's Immunix; it's another one that's pretty easy to use.

So it's getting better, then?
Well, we have the technology on the one hand, but the problem is that security is a human endeavor. There is no perfect. It is done by humans.

What's even crazier is that while we have humans that are creating technology to help things, we also have humans who are trying to create technology in the other direction. People who are trying to come up with not only exploits against problems, but technology to root out problems, technology to hack machines.

The thing that I try to bring up is whatever defenses I can come up with, I can also come up with counterattacks to those defenses, and defenses against those counterattacks, and it keeps going on. What we have right now on a default system is pretty sorry.

And so where does that leave security?
The thing is, it's human. It's smart people on each side and we're going to do battle, and sometimes we're going to win a battle and sometimes somebody else is going to win a battle.

But in the end, the war will never be won, and it'll never be lost.