Nailing shut the cyber back door
Jay Beale of the Bastille Linux Project spends his days devising ways to help overworked system administrators close security holes.
By Robert Lemos Special to CNET News.com July 24, 2001, 12:50 p.m. PT If there's a stereotype for a hacker, Jay Beale isn't it. Mild-mannered and somewhat shy, Beale--like many hackers of the old school--has made a name for himself at a young age. As the leader of the Bastille Linux Project, an open-source endeavor to make Linux systems more secure by automating the patching process, Beale, 26, is well-known in the Linux community and security circles. CNET News.com talked with Beale at the Black Hat Security Briefings in Las Vegas earlier this month. His message: Making it easier for system administrators to secure their systems is extremely important. With Code Red and many other worms automatically exploiting known holes in systems, removing system vulnerabilities as quickly as possible gains new importance. Q: How did you get interested in security? Well, the other stuff was really boring, but I did the other stuff, and I kept saying we really should do something. Shortly thereafter, I left for greener pastures. And around the same time or shortly before, the math department started getting hacked about once every two weeks. It was almost like clockwork. And it was all over the place, machines all over the place. I'm not sure--they still might have the same problem, because they'd not taken the time to do security. Did your next job take security more seriously? Well, the four months went by and the stuff they wanted got done, but the list was longer by then. And a year later I was still working on stuff on the list, and I just ended up finding myself in security. But I was having an amazingly fun time and hopefully doing some real good for our networks. Is that what became the Bastille Linux script? That you automated the list? And later on, some people were trying to make a better distribution, and they were calling it Bastille Linux Project; I didn't actually start the project. They started at a SANS conference in July of '99, and three months later it hadn't really gotten anywhere. It never really took off; it's a huge amount of work to create a distribution. What happened after that? So they started looking for some scripts, and I saw that and really wanted to start an open-source project. John Lasser was the guy who gave me my first Linux CDs; he was running the project and I drove down to see him. He told me what he was looking to do, and I thought, "Cool." So I wrote a spec, and a whole bunch of people started helping us test immediately. Then someone submitted a firewall, and we have some others who are contributing stuff right now. What do you run under? What about a Windows version? It's not about security--it's about risk management. Is that how everyone has to think about it? And security goes out the door, right? A great example is in an organization where they say you have to have a 48-character password and it can't have any words in it. Well, everyone will do exactly what I would probably do in that situation, which is come up with a password and write it down. And now we've got all these written-down passwords, and maybe I'm using the same password across all these systems. And that's not so good. Because when I use the password, I'm using it on the insecure systems outside my organization--the same one I'm using on the secure systems. What the penetration testers will tell you is that as soon as any of them get a password, they immediately try them everywhere they see the person using machines. If I can steal the password from your toaster one day, I am going to try that on your top-secret machines at work. So is security getting better? Is it getting worse? What other technologies are being used? Other people have done variants on this. Just basically doing security in the kernel where it wasn't ever done before--or where it never took off. One example that's great is WireX's Immunix; it's another one that's pretty easy to use. So it's getting better, then? What's even crazier is that while we have humans that are creating technology to help things, we also have humans who are trying to create technology in the other direction. People who are trying to come up with not only exploits against problems, but technology to root out problems, technology to hack machines. The thing that I try to bring up is whatever defenses I can come up with, I can also come up with counterattacks to those defenses, and defenses against those counterattacks, and it keeps going on. What we have right now on a default system is pretty sorry. And so where does that leave security? But in the end, the war will never be won, and it'll never be lost. |