Welcome to Slashdot News Security Privacy Graphics BSD
faq
code
awards
journals
subscribe
older stuff
rob's page
preferences
submit story
advertising
supporters
past polls
topics
about
bugs
jobs
hof

Sections

apache
Dec 2

apple
Jan 12
(3 recent)

askslashdot
Jan 11
(2 recent)

books
Jan 10

bsd
Jan 13
(1 recent)

developers
Jan 13
(6 recent)

features
Jan 9

interviews
Jan 13
(1 recent)

radio
Jun 29

science
Jan 13
(6 recent)

yro
Jan 13
(5 recent)

Hacking Linux Exposed, Second Edition
SecurityPosted by timothy on 2003-01-07 8:00
David Schaffter writes "I bought Hacking Linux Exposed when it first came out. What struck me about it at the time was that it was unlike the other hacking books that were out there. Most seemed to play on the hacker craze, and were essentially lists of cracks. Hacking Exposed, presumably the model for HLE, was very much like this. Topical, overblown, and in the end it was outdated by the time you got it." Read on to see what David finds has changed (or not) in the second edition.
Hacking Linux Exposed, Second Edition
author Bri Hatch, James Lee
pages 720
publisher Osborne McGraw-Hill
rating 10
reviewer David Schaffter
ISBN 0072225645
summary This second edition of the best selling Hacking Linux Exposed shows you in great detail how to secure your Linux box - or break into one.

HLE on the other hand was much more like a good textbook -- it taught you how to think about security, to see how each problem was caused and how to combat them. As the years went by, my copy of HLE was still as useful as it was the day I got it. For this reason, I was skeptical what they could put into a second edition -- the first seemed to stand the passage of time just fine.

Nonetheless, I bought it, and was surprised to find that the second edition is even stronger than the first, yet they have made it still work on its own -- you don't need to buy the first edition to have a complete understanding of Linux security. You should probably read their reviews page which has links to reviews of the original, as well as the Slashdot review from last time which have detailed breakdowns of what you'll find. I'll concentrate on the changes in this review.

The new edition deprecates or cuts a lot of old material that is no longer applicable -- the emphasis is on OpenSSH configuration vulnerabilities, rather than RLogin/RSH/etc, for example, which is fine since no Linux system comes with Rlogin installed by default any more. The second edition is 100 actual pages longer, but due to the condensing of old material, it's effectively 200 pages longer at least. They took out some of the material that isn't needed in the paper copy and put it online too, which was a great idea.

So, from my perspective, here are the noticeable differences:

  • More tools are covered in detail -- Exim gets equal play with Sendmail and friends, DJBDNS gets covered as much as BIND. (For configuration, that is. Nothing can match BIND for vulnerabilities.)

  • There's a whole new Denial and Distributed Denial of Service chapter, that covers the gamut - much more than just your simple TCP-connect floods.

  • There are three new chapters about post-system-compromise tricks the crackers will play on you, showing you exactly what kind of things you'll need to clean up if they get in. This stuff was absolutely amazing, and the authors could probably write a whole book on this if they wanted to.

  • More distribution-specific information.

  • Step-by-step instructions on how to patch and rebuild your kernel using the existing kernel configuration parameters, detailed enough that any newbie could do it. They have specific variants for Red Hat and Debian as well.

  • The best discussion of network-based attacks (ARP spoofing, Man-in-the-middle, session hijacking, etc) in any book, anywhere. You could easily use the stuff in this chapter to take over Windows machines too.

  • More custom tools and code than before.

  • Just passing references to things like the Morris worm, the Ping of death, ipfwadm, and other hacks and tools that are so old and irrelevant today that they shouldn't be discussed in depth any more. They get their nod, but the authors spend quality time with things of current relevance only, rather than wasting the space just to make the book look thick.

  • Even more integration with the website.

That last one needs a bit of explanation. Brian Hatch, the lead author of HLE, has a weekly security newsletter called Linux Security: Tips, Tricks, and Hackery. (You can read the article archives or subscribe.) These often have very detailed implementation instructions, such as installing DJBDNS and migrating away from BIND, using /proc to investigate cracker activities, and occasionally has contests too.

The nice thing is that Hatch has built up a body of free online instructions, and thus rather than copy and pasting them into HLE, he can point to the online articles from within the book. This saves lots of paper, and keeps you focused on the goal of the book -- to learn attack methodologies and how to stop them.

One thing that these guys prove in their book is that "code is speech." Rather than having wordy passages such as "The user then needs to run the command 'nc client-ip-address 80' on server 'freddie' from the /etc/ directory where client-ip-address is the actual ip address of the target, and type ..." they show it all through a command-line view, embedding this extra location and user information in the prompts and formatting (bold/italics/etc) like this

jdoe@freddie:/etc$ nc client_ip 80
GET /some/web/page
<head><title>This is some web page</title>
...

They always show you what's actually going on behind the scenes -- an actual SMTP or POP conversation for example -- so you know how things really work, rather than living in a black box where Nessus says "vulnerable" and you don't know how to determine it on your own.

Here's a very quick table of contents:

  • Part I: Linux Security Overview
    • Chapter 1 -- Linux Security Overview
    • Chapter 2 -- Proactive Security Measures
    • Chapter 3 -- Mapping Your Machine and Network

  • Part II: Breaking In from the Outside
    • Chapter 4 -- Social Engineering, Trojans, and Other Cracker Trickery
    • Chapter 5 -- Physical Attacks
    • Chapter 6 -- Attacking over the Network
    • Chapter 7 -- Advanced Network Attacks

  • Part III: Local User Attacks
    • Chapter 8 -- Elevating User Privileges
    • Chapter 9 -- Linux Authentication

  • Part IV: Server Issues
    • Chapter 10 -- Mail Security
    • Chapter 11 -- File Transfer Protocol Security
    • Chapter 12 -- Web Servers and Dynamic Content
    • Chapter 13 -- Access Control and Firewalls
    • Chapter 14 -- Denial of Service Attacks

  • Part V: After a Break-In
    • Chapter 15 -- Covert Access
    • Chapter 16 -- Back Doors
    • Chapter 17 -- Advanced System Abuse

  • Part VI: Appendixes
    • Appendix A -- Discovering and Recovering from an Attack
    • Appendix B -- Keeping Your Programs Current
    • Appendix C -- Turning Off Unneeded Software
    • Appendix D -- Case Studies
The HackingLinuxExposed.com website has a more complete list of contents, as well as a sample chapter.

The other nice thing is the authors have put all their source code, tools, and example cracks online for free download, released under the GPL. You may notice that you need to type a password to get in, but if you have half a hacking cell in your body, you'll find that the authors think a password requirement is stupid as we do.

If I could change one thing about this book, it would be the risk ratings. These are the dumbest things I've seen. These are little boxes at the beginning of each 'Attack' that list three values: "Popularity", "Simplicity" and "Impact." It then averages these and comes up with a risk rating. Since all the Hacking Exposed books have them, I can only assume it was a requirement of the publisher -- I don't know if Hatch and Lee care for them one bit, but I can tell you I find them useless. (Of course, I give this book a 10 in spite of this fact.)

These numbers are presented as quantitative, but it can't possibly be. I can argue giving many different values in each category, so what does this actually tell us? For example take open X11 servers. Impact could be 10 because you could type a root password that's intercepted, or it could be 7 because it only gives you user-level access. Popularity could be 3 if you say most people don't set it up this way, or you could say it's 9 because many crackers look for open servers. I'd rather they just used impact, gave it a scale of 1-10 and were done with it. The popularity and simplicity factors override the impact in too many cases to make the final value anything but specious.

Aside from that drawback, which is easily ignored, the book is absolutely solid.

When I was about to buy my copy, I noticed that the authors are donating all online proceeds to the Electronic Frontier Foundation, so you should order through their website, regardless what the Slashdot link may be. ;-)

In my opinion, there's no Linux user who should be without this book. It's 720 pages of answers you need to keep yourself secure from the blackhats, or 720 pages of ways to become a blackhat yourself, depending on your ethical alignment. Either way, you won't be able to put it down, except to type as you follow along.


If David did not convince you otherwise, you can purchase Hacking Linux Exposed, Second Edition from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Bri Hatch (523490)
[ Preferences ]

Related Links
Compare the best prices on: Software/Utilities
reviews page
Slashdot review from last time
article archives
subscribe
installing DJBDNS and migrating away from BIND
using /proc to investigate cracker activities
contests
HackingLinuxExposed.com
list of contents
sample chapter
Electronic Frontier Foundation
their website
Hacking Linux Exposed, Second Edition from bn.com
book review guidelines
submission page
More on Security
Also by timothy

Book Reviews
Need something to read? Slashdot's book review section is full of reader-submitted reviews of books you should know about.

Add your name to this list! Submitting your own review for consideration is easy. Just read the Slashdot book review guidelines, and then use the web submission form.

Update: 20021122 11:15 by timothy

< Cryptome Log Subpoenaed | Setting CPU Priority on NT/Citrix? >
Hacking Linux Exposed, Second Edition | Preferences | Top | 170 comments | Search Discussion
Threshold: Save:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
I was afraid for a sec... (Score:5, Funny)
by mschoolbus (627182) Alter Relationship on 2003-01-07 8:28 (#5033022)
At first I thought this said something about "Linus Exposed"... Thank God I mis-read that...
[ Reply to This ]
DDos (Score:4, Funny)
by gmuslera (3436) Alter Relationship <gmuslera.internet@com@uy> on 2003-01-07 8:31 (#5033041)
(http://www.internet.com.uy/gmuslera)
The book list slashdot as the distributed denial of service main source?
[ Reply to This ]
  • 1 reply beneath your current threshold.
Hacking Linux? (Score:2)
by grub (11606) Alter Relationship <grub@grub.net> on 2003-01-07 8:32 (#5033053)
(http://www.grub.net/)

What is it? Just the source code to BugBear?
--


--
Cult: (n) a small, unpopular religion.
Religion: (n) a large, popular cult.
[ Reply to This ]
    Yep, it's just cut/paste (Score:5, Funny)
    by Bri Hatch (523490) on 2003-01-07 9:46 (#5033785)
    (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
    Yes, HLEv2 is a complete rewrite of the original. Instead of adding new content and updating old things, we decided it'd be much faster for us to scrap everything we had. Instead we have code listings of the following, cut and paste from the original source:

    • WU-FTPD versions. All of them.

    • BIND. Only the ones that have had critical bugs. (About half.)

    • A complete copy of /etc/services, uncommented, in case you don't have your Linux machine around at the time.

    • A chapter on security problems when writing Pascal code, cribbed from something on USENET from 1983

    • A complete byte-by-byte deconstruction of an shttp session, explaining exactly how it works. (And yes, I mean shttp, not https)

    • A copy of the Linux tulip ethernet driver code, for no aparent reason.

    We decided that this sort of content would provide the quickest time-to-market without any need to tech edit. By providing 0% useful information, it should be able to be read in whole as fast as you can turn the pages - no reading required. We found that people were not able to read the reviews on slashdot in their entirety, so why should we expect them to read ~700 pages about Linux Security?

    ;-)

    [ Reply to This | Parent ]
      Re:Yep, it's just cut/paste (Score:2)
      by Bri Hatch (523490) on 2003-01-07 12:27 (#5035144)
      (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
      I make it a rule never to make any public comments about books that could be considered 'competition'. If I were to say they're bad, you'd not know if I were being honest or devious. If I say they're good, then OMH can get on my case for "allowing my name to be associated with competing works, blahblahblah".

      Unfortunately, I bet even "complementary" books could be considered "competing" in the minds of lawyers, so I stay away from talking about books that could be considered competition, even if I don't agree. So that's why you won't see me commenting about RWLS, for example, though I will comment about non-RWLS topics in that thread.

      However, yes, when writing the joke above (it should be moderated "funny" not "informative, for goodness sake!) I did have a very specific book in mind after which I modeled my list, and of course I can't say what it was.

      And no one has guessed my /. password. I don't even know it. I use the terribly insecure 'bookmark this link' method. If anyone guesses it, I'm screwed. Call me lazy, but I prioritize what should be super secret and what's not worth the effort.


      [ Reply to This | Parent ]
    • 4 replies beneath your current threshold.
Except that it should be called... (Score:4, Insightful)
by Boss, Pointy Haired (537010) Alter Relationship on 2003-01-07 8:35 (#5033095)
"Cracking Linux Exposed", it's a great book.

As someone not that familiar with Linux (at the time I read it), it was very easy to read , and handy in helping me secure a Redhat box that hangs off my cable modem.


[ Reply to This ]
    Beating a dead horse. (Score:5, Informative)
    by Bri Hatch (523490) on 2003-01-07 9:25 (#5033623)
    (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
    Ok, I knew the hacking vs cracking thing would come up. Go read our response [hackinglinuxexposed.com] to this.

    For a quick bulleted list:

    • I tried to get them to call it 'cracking linux exposed'. I lost.

    • Much of the "cracking" process requires good "hacking" skills, so it's not actually a bad title anyway.

    • Each and every time we use "hacking" in the book it's used as the purists would (and I'm one of the purists)

    • When it's hacking with a malicious intent, we call it "cracking", "attacking", or "malicious hacking" as best fits the situation.

    The only exceptions to this rule are the front and back cover, on which we were either overruled, or gave up the good fight.

    [ Reply to This | Parent ]
      Re:Beating a dead horse. (Score:2)
      by alienmole (15522) Alter Relationship <tontobius@hotmail.com> on 2003-01-07 10:29 (#5034126)
      It's nice to hear that the authors weren't responsible for this travesty.

      I could care less about what the mass media calls a "hacker". But the problem I have with this book title is that it's horribly misleading. I first thought, based on the title, that it might be a book I would be interested in - a book about hacking Linux, sounds great. Then I found out it was all about security. It took a while for this to completely sink in to the point where I finally realized that I'm really not that interested in the subject matter. The title makes no sense whatsoever!

      Next time, explain to your editors/publishers that even if they don't understand the terminology, the target market just might!

      I realized, in trying to conclude my mild rant, that the real problem I have with this title is that no-one will be punished for it. I want justice! Revenge! Heads must roll! Stupidity must be stamped out! Death to idiots!

      Aaaaaaaahh... that's better.

      [ Reply to This | Parent ]
      Yes, I'm the author (Score:2, Interesting)
      by Bri Hatch (523490) on 2003-01-07 9:49 (#5033801)
      (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
      Ok, I don't use sigs or anything to plug my books. I like to be a normal /. person. But in case you're suspicious (you probably have a good future in computer security...) I'll post my /. id to our website [hackinglinuxexposed.com] so you know it's me.
      [ Reply to This | Parent ]
        just a thought (Score:2)
        by Ender Ryan (79406) Alter Relationship on 2003-01-07 12:31 (#5035160)
        Why not plug your books in your sig? Or indirectly, you could just link to this /. review. Lots of people do it, and I haven't noticed anyone who minds. FYI, I just purchased your book, thanks to this glowing /. review.

        And while I'm typing at you, I'm really glad that you're donating money to the EFF. There are just too many people who simply don't put their money where their mouths are.

        Cheers


        --
        Sticking feathers up your butt does not make you a chicken - Tyler Durden

        [ Reply to This | Parent ]
          "Marketing" in sigs (Score:4, Insightful)
          by Bri Hatch (523490) on 2003-01-07 14:41 (#5035819)
          (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
          Why not plug your books in your sig? Or indirectly, you could just link to this /. review. Lots of people do it, and I haven't noticed anyone who minds.

          In my email program (mutt [mutt.org]), I have a perl script pick randomly from ~800 different signatures. (Most new additions seem to be from the "witty comments from my daughter" category.) The script must have some sort of AI in it, because it freqently picks things that are relevant to the text. Having just a static signature for /. seems less interesting. Manually changing it certainly more work than I'm up for.

          I don't want folks reading my /. posts and thinking I'm just writing them to have my sig get more notice. I don't want folks seeing my posts and assuming that they has more or less relevance because of the info in the sig. If folks want to see who I am, it's easy enough to click on my home page or /. area.

          And I am very very bad at self promotion. Anything I'd write for a sig would sound pompous.

          I'm really glad that you're donating money to the EFF. There are just too many people who simply don't put their money where their mouths are.

          I don't have the time, energy, or know-how to do what the EFF does. But they seem to fall on the same side of every issue that I do. So I do the best I can - send them cash. Now if only we could fund EFF as well as some corporations fund lackeys on capitol hill.

          [ Reply to This | Parent ]
          • 1 reply beneath your current threshold.
    • 1 reply beneath your current threshold.
    Re:Except that it should be called... (Score:2)
    by Latent IT (121513) Alter Relationship on 2003-01-07 9:09 (#5033478)
    No, that's still cracking. Breaking security is cracking, period. Skilled coding, and especially using or improving things so that they can do more than before, is hacking.

    For example (and this is a paraphrased quote, since I can't remember who said it, and can't seem to manage to look it up) a good example of a hack is using that lamp on the wall over there to get me a beer.
    --
    C'mon, New York. Let's show the world we still have some balls [wtc2002.com].
    [ Reply to This | Parent ]
  • 1 reply beneath your current threshold.
A play by play review (Score:3, Informative)
by Trin2 (632824) Alter Relationship on 2003-01-07 8:36 (#5033119)
I was planning on doing a review of Hackin Linux 2nd edition, but obviously was too late. The one above is accurate, but not helpful if you didn't read the first ed. Here's my more descriptive review of the book's contents:

Hacking Linux comes in six parts, each of which is worth the price of the book in whole. Part one: security overview covers all the basics like file permissions, setuserid problems, buffer overflows/format string attacks, tools to use before you go online, and mapping tools like nmap. Part two comes in from more of the hacker angle with social engineering and trojans, attacks from the console, and then concludes with two excellent chapters about netowrk attacks and TCP/IP vulnerabilities.

All the stuff to this point assumes the hacker is on the outside. Part three takes over and shows you what the hacker will do once they've gotten on, such as attacking other local users including root, and cracking passwords. It becomes obvious that you need to protect things from insiders as much as from the outsider, because the outsider will usually get in as a normal user first, and if you can prevent him or her from getting root access, the damage cannot be nearly as severe. A lot of books don't cover this angle at all, and it's done superbly here.

Part four covers common problems in internet services. First they discuss mail servers. Sendmail, Qmail, Postfix, and Exim each get covered in detail - it's nice to see more than just Sendmail discussed in a security book. Of course, it'd be even nicer to see something other than Sendmail installed on a Linux machine by default. Next they cover problems with FTP software and problems with the FTP protocol. I'd never seen "beneath the hood" and realized how wierd FTP really was, and why it's not supported by firewalls very well, and the authors show you the inner workings of it so anyone can understand the problems. They continue with Apache and CGI/mod_perl/PHP/etc problems, both from a coding standpoint and how to secure against outsiders and your own web developers. Next it's on to Firewalls (iptables and TCP wrappers) and lastly (distributed) denial of service attacks. The countermeasures for the DOS problems are excellent, and a must for anyone with a server.

Part five covers everything a hacker can do once they've broken in. They describe trojan programs, trojan kernel modules, and configuration changes that can be used to keep root access, or hide the hacker activity, or let them get back in should the computer be partially fixed. This was not only complete, but scary in how many different things they showed. It works both as a blueprint for what you need to defend against, how to clean up after a hacker has gotten in, and also how you could back door a machine if you get in. I'll leave the ethics up to you.

Lastly we have part six, which is the appendicies. While most times I ignore appendicies, these are really an integral part of the book, and are referenced throughout the book all over. (This very good, because it keeps the book from having too much repeated countermeasures.) They discuss post-breakin cleanup, updating your software and kernel, and turning off daemons (both local and network ones) and a new case study. The book is good about covering Linux from a distribution-agnostic standpoint (it doesn't assume you use RedHat, unlike everything else out there) but in these appendicies they cover the differences you may encounter. They show you how to use dpkg/apt-get as much as RPM as much as .tgz packages, discuss both inetd and xinetd, and even svscan/supervise. They are extreemly complete.

Hacking Linux Exposed 2nd Edition is required reading for anyone with a Linux machine, period.

[ Reply to This ]
Nothing can match BIND for vulnerabilities. (Score:3, Funny)
by wiredog (43288) Alter Relationship on 2003-01-07 8:38 (#5033137)
(Last Journal: 2001-10-01 15:53)
I dunno, ever use Outlook?
--

When the going gets weird, the weird turn pro. [aspectus.com]
[ Reply to This ]
A Good Series (Score:5, Informative)
by orin (113079) Alter Relationship on 2003-01-07 8:38 (#5033145)
(http://www.certtutor.net/)
This is a good series for a person with an average level of experience to get some form of understanding what sort of expoits are out there. Many of these computer security type books go a little too much for the hype (watch out for the 31337 haX0rz!) and not enough stepping you simply through why and how an expoit works. Someone new to Linux admining will pick up more about Linux security reading this book than they will many others. It contains a good list of the most popular expoits. Of course your box won't be entirely secure if you read this book (security is a process) and to a seasoned sysadmin much of this will be old hat. It will however mean that your system is probably less hackable than some other administrators who has a similar level of experience but hasn't read this book.

This series Windows 2000 offering is very good as well - not a lot of hype but tends to get down to the brass tacks of how to start to secure an out of the box installation.

The only problem with these books is how quickly they do become dated. You won't get an amazing amount of use out of them in 5 years time except for as some sort of historical perspective. Not a lot of depth into the methodology of locating exploits - just more a list of exploits and how to understand their use.
[ Reply to This ]
    Re:A Good Series (Score:2, Insightful)
    by blahlemon (638963) Alter Relationship on 2003-01-07 10:58 (#5034346)
    The only problem with these books is how quickly they do become dated. You won't get an amazing amount of use out of them in 5 years time except for as some sort of historical perspective.

    It doesn't matter how dated the book is, I've found the entire "exposed" series is great for getting you think in the right direction how to plug holes and where the next holes might be. Anyone who reads them strickly as an instruction manual will be easily comprimised. The person who reads them to understand the fundamentals will be much more secure.

    [ Reply to This | Parent ]
    • 1 reply beneath your current threshold.
I am so confused... (Score:4, Insightful)
by The Breeze (140484) Alter Relationship on 2003-01-07 8:42 (#5033179)
(http://www.desertzephyr.com/employees/calabrese)
Is it just me or does the intro to this article bear little relation to the body?
The "summary" uses the words "overblown, outdated and obsolete" while the review itself goes on to rave about how wonderful the book is. Quite odd.

[ Reply to This ]
exploits are *not* outdated (Score:4, Insightful)
by josephgrossberg (67732) Fan on 2003-01-07 8:55 (#5033265)
(http://josephgrossberg.blogspot.com/ | Last Journal: 2002-10-21 6:22)
You're assuming all network admins keep tabs on the vulnerabilities, update their software frequently and have the necessary time to dedicate to such important things.

But they don't always. Yes, even on Linux.
--

Joe
http://josephgrossberg.blogspot.com [blogspot.com]
[ Reply to This ]
    Yes, exploits of particular versions are outdated (Score:5, Insightful)
    by Bri Hatch (523490) on 2003-01-07 9:18 (#5033566)
    (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
    I disagree. If the book were filled with "Here's how to break into wu-ftpd version x.y.z, it would be pretty useless. I'd hope that by the time the book was in print, a new version of the software would have been written that fixed the problem. A book that simply lists one crack after another for their own sake is not helpful.

    However if you show different types of attacks as a teaching tool -- "Here's how an off-by-one error in OpenSSH caused it to be exploitable" for example -- then you can show different classes of attacks so the reader understands the actual problems that occur in many different software products.

    The goal was to show different kinds of vulnerabilities as explanation. Anyone who is still running older buggy software isn't maintaining their system properly. (And yes, we cover how to upgrade packages in great depth.)

    On the other hand, sometimes the problem is configuration: I can have a perfectly secure OpenSSH version, but if I ssh to an untrusted host with X11 forwarding on, the X11 server on my client is easily compromised. No new version of OpenSSH will fix this, it's an inherent problem with the all-or-nothing nature of X11. So configuration-based vulnerabilities do stand the test of time.

    I'd never just write a book with a list of BIND vulnerabilities that are based on bugs in the source code, but problems with the DNS protocol itself (it's easily spoofable, leading to MITM attacks) are fair game for in depth coverage.

    So, version-specific attacks are only covered if they help teach a concept. Configuration-specific attacks are covered if they are likely to stand the test of time. Protocol-related vulnerabilities (FTP bounce attacks/etc) are fair game until the protocol is destroyed with a big huge mallet.

    [ Reply to This | Parent ]
      Re:Yes, exploits of particular versions are outdat (Score:2)
      by josephgrossberg (67732) Fan on 2003-01-07 10:42 (#5034225)
      (http://josephgrossberg.blogspot.com/ | Last Journal: 2002-10-21 6:22)
      Wow, a response from an author! I'm very flattered.

      Can you provide some insight on why the price went up 25% in under two years?

      Hacking Linux Exposed, Second Edition
      by Bri Hatch, James Lee
      List Price: $49.99
      Paperback - 720 pages (Dec, 2002)

      Hacking Linux Exposed: Network Security Secrets and Solutions
      by Bri Hatch, James Lee, George Kurtz
      List Price: $39.99
      Paperback - 608 pages (Mar, 2001)

      Are the extra 112 pages that nice? Not to be cynical, but are you trying to be agressive about the people who already own version 1 (like me)?

      Joe

      P.S. Lest you get the impression otherwise, I liked the book.
      --

      Joe
      http://josephgrossberg.blogspot.com [blogspot.com]
      [ Reply to This | Parent ]
        Price increase (Score:5, Informative)
        by Bri Hatch (523490) on 2003-01-07 10:58 (#5034347)
        (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
        I didn't even notice that the price increased until right now. I have nothing to do with the price of the book. I have no idea how they set it. Maybe the higher price means we will make minimum wage for our troubles this time...

        In actuality, there are about 200 new pages, since we cut out a lot of older stuff, condensed things that are not as relevant that still deserve a good nod, and put the original three case studies online instead.

        Chapter 10 grew to be three chapters all told. Chapter 11 needed to be split because it was too big for both Mail and FTP in one chapter. We covered many new attack methods and tools. Everything grew substantially, in spite of trimming out the old and tightening up what we had.

        And we fixed a bunch of errors and added completely new ones.

        Everything in HLEv1 is still valid. If you own the first, I'd suggest you compare the contents [hackinglinuxexposed.com] of the two books to decide if you want it or not. Or browse it at the store. Unfortunately, the sample chapter [hackinglinuxexposed.com] is again chapter 1, which is one of the least modified chapters, so it doesn't give you the best indication of what's new.

        This is my best stab at a response. I am so much not a marketing guy, I'm a geek.

        [ Reply to This | Parent ]
    • 1 reply beneath your current threshold.
    Re:exploits are *not* outdated (Score:3, Insightful)
    by Daytona955i (448665) Alter Relationship <<Christopher.John ... <at> <drexel.edu>> on 2003-01-07 9:23 (#5033612)
    (http://www.pages.drexel.edu/~cjf24)
    Most users who do not update their software probably also don't recompile their kernels and would instead get a new copy of red hat thus installing new updated versions of their software.

    I think most people who want to keep a stable kernel would take the time to update their system or keep track of vulnerabilities in the software they do run. The only people I know that don't update their software and OS are windows users. Though they tend to update to the latest major release. (except for some people I know who still run 98)
    -Chris
    [ Reply to This | Parent ]
A perfect 10? (Score:2, Insightful)
by watzinaneihm (627119) Alter Relationship on 2003-01-07 8:59 (#5033322)
I have a copy of the book, and the way the book is written it seems it is more useful for the sysadmin types.
But the problem is that any good sysadmin would know atleast half of this stuff already, making the reading kind of boring. Now what I want is a good way of finding how to secure "my" system. When I read about how to set up NFS securely I really don't want to know that sun solaris had a vulnerability in their OS a few years ago which allowed elevation of privileges etc., what I want to know is how to do it now, with the right packages on Linux.
But as a general read the book is full of anecdotes and examples and makes a good reading.
[ Reply to This ]
Interview with HEL author (Score:2, Interesting)
by Anonymous Coward on 2003-01-07 9:07 (#5033441)
I I just noticed that one of the HEL authors was interviewed by LinuxSecurity.com. It's available here [linuxsecurity.com]. Here are some interesting parts:. And no, this is not karma whoring - I'm posting AC.

LS: Supposing you had free time, what would you be doing with it?

Brian: I'd devote some time to helping out the Linux Security Module project. I hope to help port systrace to LSM next year. Currently it is a kernel patch, and I think the community would be served better in the long run by having it available as an LSM module, which would make it more accessible to those who fear kernel compilation.

And some day I hope to get around to turning some of the megs of perl code I've written over the years into well defined Perl modules for CPAN. Then I won't be the only one supporting this spaghetti code. ;-)

If I had infinite time, I'd learn to play the Hammered Dulcimer and French Horn. There's nothing in the world as musical as a well-played French Horn.

LS: In your opinion, what is the most interesting thing about Linux and Security?

Brian: The first thing is that, with Linux, security is a possibility. It is not an end point - you must constantly keep abreast of new attacks and revisit your security posture - but there is nothing that is unavailable to you if you want to look. Closed source systems can never offer this. By design, be it chosen for monetary reasons or to prevent competition, closed source products always hide details from the users and administrators that could be critical to understanding how thing function, and how they can be broken.

One of the beauties of Linux (and other open systems, such as *BSD) is that you can use them to boost the security of those closed source machines. By the liberal application of Linux machines throughout your infrastructure, you can keep those exploits-waiting-to-happen locked down where they can do less harm. For more of my ranting on this topic, see my article Linux is Securable -- I won't waste time rambling here.

What is most intriguing right now on the Linux horizon is the evolution of security controls. In the beginning, all you had to work with were file permissions. Root could do absolutely anything unchecked, and root access was required for some things such as binding low network ports or opening raw sockets, which meant use of set userid bits on programs, which frequently were broken to gain root access.

Next came capabilities, where each bit of root's power was defined in more specific terms. When determining if a process could bind port 80 originally you'd check to see if uid==0. Now you'd check if the process had the CAP_NET_BIND_SERVICE capability. In theory, you could now remove capabilities from the system - for example removing the ability to load kernel modules ever again, which is good for defending against malicious LKMs.

It goes on quite a bit - a good read.

[ Reply to This ]
Linux versus Windows Challenge (Score:3, Informative)
by schaftmstr (627387) Alter Relationship on 2003-01-07 9:36 (#5033717)
One thing I forgot to put in my review is this:

The HLE authors have a Windows vs Linux Security Challenge [hackinglinuxexposed.com] where they want to have a Linux security team and a Windows security team install and secure a Linux and Windows machine at the same time, documenting what they do and how long their machines are vulnerable. I'd love to see this. It'd be a great way to see exactly how bad Windows machines for both generic installation (imagine counting the number of reboots for one vs the other as you update service pack after service pack, a reboot after installing IIS, another when you change your password ;-) and security (locking down the machine so that IIS doesn't have a billion holes from the default installation).

I'd pay good money to see this.

[ Reply to This ]
    Re:Linux versus Windows Challenge (Score:3, Interesting)
    by ostiguy (63618) Alter Relationship on 2003-01-07 10:14 (#5034014)
    You ought to try windows more often, if you want to make comments like this. I slipstream service packs in all of my win2k distribution points, so my minimum is win2k+ sp3. You then can chain together hotfixes, and reboot once.

    ostiguy
    --
    The MCSE with > 50 karma. Do *you* believe in miracles?
    [ Reply to This | Parent ]
    • 1 reply beneath your current threshold.
    Default install of *anything* is buggy (Score:5, Interesting)
    by Bri Hatch (523490) on 2003-01-07 10:22 (#5034073)
    (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
    Any well-featured Linux distro is not secure unless it ships with everything off, which is seldom the case. This is a big beef of mine, but it's getting better over time. It's an ease-of-use vs security situation. You install Apache, the distro assumes that you want to run it, so it sets up the links in /etc/rc?.d and /etc/init.d so it runs. So, there's no real difference between Linux (speaking generically of all distros) and Windows here.

    However the process of hardening them is very different. I bet I can install Debian with minimal packages and achieve all the functionality I claim within an hour or two, with one reboot just to make sure it would come up correctly if it's out in a remote datacenter somewhere.

    But that's really no the point - I'd like to see good explanations of what's needed to secure both. It's not just a competition to say Linux is easier /faster to secure (though I suspect that would be the consensus.) It's a way to create more documentation for everyone, Linux and Windows users. In that respect, it's more noble than just a pissing contest.

    If I ever got off my butt and tried to actually make the thing happen.

    [ Reply to This | Parent ]
      Re:Default install of *anything* is buggy (Score:2)
      by strobert (79836) Alter Relationship on 2003-01-08 2:48 (#5038815)
      (http://www.strobe.net/)
      hopefully I won't start a flamewar, but seeing you mention in an hour or two makes me wonder if you have ever tried kickstart under redhat (the main reason we haven't looked at debian seriously). Because of kickstart's automated abilities limited package secure installs in 5-10 minutes. Combine that with treating most machines as disposible. Makes recovery real easy. archive a copy of the server for analysis (optional) and re-install (since as most people know and apparently you point out in your book recovering from a break in without a reinstall is not exactly a trivial matter)
      [ Reply to This | Parent ]
        Context: Windows vs Linux Security standard inst. (Score:2)
        by Bri Hatch (523490) on 2003-01-08 8:25 (#5040305)
        (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
        The context of this thread is for my proposed Windows vs Linux Security Challenge [hackinglinuxexposed.com] which is meant to model what a normal user would need to go through to create a secure install from scratch. Sure, I can set up a very detailed list of packages and specific application configuration for a big web farm and install with kickstart. I could even set up a disk and clone it with 'dd' and a few shell scripts to change IP addresses. But that's not going to help teach new Linux users what the securing process looks like.

        So I do not dissagree with you -- your solution is definately optimal for creating lots of good machines -- but the goal was to show how to install and secure one machine in a standalone environment with a set suite of server software.

        As to the actual time I'd take to do the install and lockdown, I think 2 hours is plenty, given the proposed packages that must be installed and configured:

        Including the (secured) operating system itself, the final server configuration must support (as secure as possible)

        • A Web Server, preferably with dynamic-content generating capabilities, such as ASP or mod_perl. No documents need be installed, however all default-install documents/programs must be deleted. In other words, every possible request should return a 404.

        • Anonymous FTP Server (read-only)

        • Mail Server (able to accept email for itself and send to other Internet machines)

        • DNS Server (able to act as a primary for 'OS.example.com' and as a cache for the local network)

        • Firewall rules that allow only the above protocols, and any other packets necessary for system administration and normal functionality. (Inbound SSH, DNS Replies, etc.)

        The software I'd probably choose would be Apache (mod_perl), DJB's publicfile for anon FTP access, Postfix for the mail server, and DJBDNS for the DNS server/caching server.

        Now that 2 hours includes keeping a log of what I'm doing, or at least explaining it to someone who can keep a good running log, includes download time of updates (like I said, this should be like an end user, so the packages should be out of date on the install CD) and time to go get and consume a grande non-fat extra carmel carmel macchiato from starbucks.

        [ Reply to This | Parent ]
    • 2 replies beneath your current threshold.
  • 1 reply beneath your current threshold.
I just bought this book too. (Score:2)
by farrellj (563) Alter Relationship on 2003-01-07 9:47 (#5033789)
(http://www.courts-of-chaos.com/mozilla/)
I was tremendously impressed by the approach they took with the book, with code examples, and explaing why things work, and how/why they approached the problems with the solutions they did....rather than just saying "Do this not to get cracked". I also picked up the 3rd edition of _Essential System Administration_, another ongoing classic.

These two books are must-have tomes for any serious SysAdmin!

ttyl
Farrell
--
---
"...a little anarchy, but not the hurting kind!"
[ Reply to This ]
Stands on its own? So what? (Score:2)
by p3d0 (42270) Alter Relationship on 2003-01-07 14:38 (#5035803)
(http://www.eecg.toronto.edu/~doylep)
...yet they have made it still work on its own -- you don't need to buy the first edition to have a complete understanding of Linux security.
When do you ever need to read a 1st edition to understand the 2nd edition? Does that ever actually happen? It's not like we're talking about a sequel here.
--
--
Patrick Doyle
My comments do not reflect the opinions of my employer.
[ Reply to This ]
Re:Where's the 'hacking OpenBSD' chapter? (Score:5, Insightful)
by mangu (126918) Alter Relationship on 2003-01-07 8:54 (#5033255)
Yes, and still more interesting is the total absence of chapters on stock-car racing or cajun cooking. Wonder why? See, it's a book on Linux, OK?...
[ Reply to This | Parent ]
Re:Where's the 'hacking OpenBSD' chapter? (Score:2, Insightful)
by malloci (467466) Alter Relationship on 2003-01-07 9:36 (#5033719)
well, consider the fact that openBSD runs openssh like linux, apache like linux, bind like linux, and a slew of other application level software that linux also does and wammo, you have something that relates to openbsd.

How many exploits can actually be attributed to the underlying operating system alone? On the whole, not many. Most are a consequence of what applications the sysadmin/user are running atop the os.
[ Reply to This | Parent ]
Re:Here's a copy of the article in case it gets /. (Score:2)
by Cy Guy (56083) Alter Relationship on 2003-01-07 10:25 (#5034090)
(http://www.digitalri...04_affiliatesLP.html | Last Journal: 2003-01-06 11:52)
If David did not convince you otherwise, you can purchase Hacking Linux Exposed, Second Edition from bn.com.

Or you could get it for $5 less from here [amazon.com].

I don't mind SlashDot having a financial incentive to provide links to the book at bn.com (I have an incentive to have you buy it through the above link), but what I fail to see is why they would want to see the SlashDot users consistently overcharged for tech books. SlashDot should sell its books through whatever site that can offer the lowest price, and compensate them fairly for providing the link. If they are against Amazon because of their stance on Intellectual Property, then they should make that clear as the reason for linking to BN.


--
Get Real World Linux Security $35 [amazon.com]
[ Reply to This | Parent ]
Theory doesn't grow old (Score:3, Funny)
by yerricde (125198) Alter Relationship <tepples&spamcop,net> on 2003-01-07 10:29 (#5034118)
(http://www.losingnemo.com/ | Last Journal: 2002-12-28 12:08)

Especially IT books, get outdated very fast!

Books that cover 1. theory and 2. mature environments grow outdated much more slowly than (say) a book on Visual Studio .NET version 7.


--
Hate Disney? Tell me about it! [slashdot.org]
[ Reply to This | Parent ]
  • 1 reply beneath your current threshold.
Re:Donations to EFF - How Much? (Score:5, Informative)
by Bri Hatch (523490) on 2003-01-07 10:37 (#5034184)
(http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
We set up amazon and barnes and noble afilliate accounts. If books (be they HLEv2 or others) get credited to us through that, those are the monies that get donated to EFF. To do that, you need to click on the links on our books page [hackinglinuxexposed.com] and add it to your cart from their. Amazon also credits books purchased if you came from our site originally, even if you didn't see them on our page.

For the last quarter I think we got $150 from Amazon and about $10 from B&N which we'll be sending to EFF. Not much, but it's a good way to funnel money their way. I particularly like the irony of having Amazon, creators of some pretty questionable patents, paying EFF.

An even better way to support the EFF is for you to find the cheepest copy of HLEv2 you can get at a local book store (save on shipping) and then donate the difference to EFF directly. Or don't get HLEv2 and send the whole schebang to EFF.

Become an EFF member or donate at www.eff.org [eff.org].

No, I'm not affiliated with them, other than being a paying member, but I endorse them. And some day I may need them to defend me, given that HLEv2 can be considered a tool that could be illegal under the DMCA.

[ Reply to This | Parent ]
    Update: Donations to EFF from /. effect (Score:2)
    by Bri Hatch (523490) on 2003-01-09 11:37 (#5049202)
    (http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
    For those keeping score, here's a quick update.

    Checking our Amazon affiliates account, it looks like about 70 products were ordered on the day this slashdot review was published. I can't see actual monetary amounts until the items are shipped, unfortunately. But based on last quarter's average of $2.78/item, that means we'll be sending about $200 to the EFF for that day alone.

    Also, I'd like to thank Alex Lewin who didn't buy through our links, but wrote:

    Your book sounds good, and relevant to what I do (Linux adminstration and development). I'm planning on buying it. Without looking too hard, I found it for $24.91 on Y! Shopping.

    I'll make a corresponding contribution to EFF.

    That's the spirit, guys!

    [ Reply to This | Parent ]
Re:How does the EFF donation apply? (Score:2)
by Bri Hatch (523490) on 2003-01-07 19:14 (#5037404)
(http://www.ifokr.org/bri/ | Last Journal: 2003-01-09 11:48)
See the original /. comment [slashdot.org] as well as our website [hackinglinuxexposed.com] for our reasoning behind giving money to the EFF [eff.org].

In short, yes, the donation will apply to any books that get credited to our affiliate accounts. You can go through the book links on any of the following sites:

  • Hacking Linux Exposed [hackinglinuxexposed.com]
    The book that caused yet another "Hacking" vs "Cracking" thread on Slashdot. I apologize.

  • Building Linux VPNS [buildinglinuxvpns.net]
    A book by Oleg Kolesnikov and I, reviewed on slashdot last year, other reviews here [buildinglinuxvpns.net].

  • Onsight.com [onsight.com]
    James and my company.

  • Open Source Web Development with LAMP [opensourcewebbook.com]
    A top-notch web development book by James Lee (co-author of HLE and HLEv2) and Brent Ware. I tech edited this book, and also benifited from it in a user capacity, for example setting up the handler that controls access to the auto linux hacking [hackinglinuxexposed.com] software.

Going through any of those links will work. If you prefer, you can just send money to the EFF directly and cut out the middle man.

[ Reply to This | Parent ]
  • 73 replies beneath your current threshold.
  • Satire is what closes in New Haven.
    All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest 1997-2003 OSDN.
    [ home | awards | contribute story | older articles | OSDN | advertise | self serve ad system | about | terms of service | privacy | faq ]