Interview with Bob Toxen, Author of “Real World Linux Security”
1. Who is Bob Toxen?
I am cut from standard geek material. I love science fiction, especially Star Trek. From the time I was 14 I was hooked on computers. I was introduced to them with the APL language on the mighty IBM 360/91 at IBM’s T.J. Watson Research Lab where my father was a research physicist.
I have lots of electronic toys and have more computers in my house than I can count — all running exclusively Linux. I love music, especially Gothic, Industrial, and Blues. I dabble in high voltage, pyrotechnics, and holography. For more excitement, I fly my plane, a Piper Arrow, around the Eastern United States and Canada.
At Berkeley we competed for who had the best program, with the most features, most resistance to bad data, was written in the best style, and which ran the fastest. This was good practice for being a programmer and later for doing computer security. This obsession for quality seems universal among Linux developers and lacking in some proprietary software systems.
I was one of the four programmers who ported Unix to the Silicon Graphics hardware for them. Later, I wrote a NFS server for Stratus’ non-Unix operating system, debugging it with a LAN analyzer. I wrote several more network servers, one to track Space Shuttle payload data for NASA. This was good training for network security as I learned protocols down to the bit level. It enabled me to understand vulnerabilities and defenses
down to this level too.
How did you gain interest in computer security?
I was a sophomore at the University of California, Berkeley in 1975 when lots of exciting Unix work was being done. Unfortunately, undergraduates were not allowed to do Unix research at this public taxpayer-funded university by “the powers that be”. Myself and a few friends solved this by breaking into the Unix system and conducting research without permission. Despite the best efforts of the SysAdmins, we did this for about three years straight until we finished school and headed for the salt mines of Silicon Valley.
One of my original ideas was hacking the kernel so that instead of the erase character being a “#” character, erasing would generate the now universal backspace-space-backspace sequence to obliterate the now erased character. I did the same for line erase, replacing the “@” character with however many backspace-space-backspace sequences were needed to erase the entire line on the screen. Doug Merritt helped with this work.
I created the “lock” program to lock a terminal as a convenience over logging out to maintain security. I started enhancing the Unix Version 6 shell before Bill Joy started on csh and Dr. Bourne did the Bourne Shell. Doug Merritt added vi-like editing to the shell. All of these things now are universal on Unix, Linux, and even Windows but we came up with the ideas.
Our interest in security was to stay in control of the system to make improvements to it as well as the technical challenge. We never damaged anyone’s data though the SysAdmins spent lots of time to try to get us out. They never caught Doug, Ross, or I, however hard they tried.
It was wrong for us to do this without permission and, instead, we should have found a sympathetic professor to arrange for us to get legitimate access. One of us (not the three named above) was arrested, spent a night in jail, and had to fight to avoid conviction due to our activities. This was my only less than white hat activity.
What are your favourite security tools and why?
IP Chains/IP Tables
This is the “Killer App” that allowed Linux to be a good Enterprise-class firewall. I find it far easier to configure than Cisco’s Pix, cheaper, and more versatile; IP Tables offers all of the features that most organizations need.
I wrote 60 pages on IP Tables in RWLS 2/e that includes “Tips and Techniques” for easy rule set creation and debugging, a detailed comparison of IP Tables with IP Chains, and complete IP Tables scripts for SOHO and medium organizations that want a DMZ.
Logcheck (my enhanced version)
Logcheck takes the tedium out of properly checking your systems’ log files for attacks and illness. I find it better than other tools, such as LogWatch, that either do not catch enough problems or do not discard unimportant events. I recommend that anyone running LogWatch immediately replace it with Logcheck.
My enhancements including fitting each IP Chains/IP Tables entry on a single line, being able to page the System Administrator for major problems, and not repeating “Attack” entries in the “Violations” section and not repeating “Violation” entries in the “Unusual” section. This encourages one to read all sections, knowing that it does not contain repeated data.
This version is on the CD-ROM that comes with the book and has been submitted back to Logcheck’s original author.
My own Adaptive Firewall
It runs on top of IP Chains/Tables (“The Cracker Trap”). It locks an attacking system out of one’s network within a fraction of a second.
Fyodor’s wonderful tool allows a thorough analysis of a firewall, network, or system very quickly and easily. Both SysAdmins and crackers use it daily. I even use it to see if an e-commerce site has made an effort to harden its server before I trust it with my credit card number.
Arpwatch (my enhanced version)
This wonderful tool allows the SysAdmin to know when someone connects a new system to the network or changes the IP address of an existing system within seconds. This is critical to ensure that users do not install “rogue” systems without authorization.
It also is useful to detect if any systems become compromised. In the latter case, the better crackers will change the system’s IP address to an unused one to make it harder to track down which system was compromised. With Arpwatch, one will know which system was changed unless the cracker changes both the IP address and MAC address simultaneously. In this latter case one still will know that a rogue system has appeared suddenly.
Arpwatch was created by Craig Leres of Lawrence Berkeley Labs and I have enhanced it extensively to be more useful for large networks with multiple subnets and to properly detect bogons. Bogons are systems whose IP address is incorrect for the network that they are on. Bogons indicate systems that are incorrectly configured or compromised.
This wonderful program allows fast real-time analysis of packets traversing a system or network. It allows localizing a network or firewall problem, verifying that a VPN actually is encrypting its data, etc.
How long did it take you to write “Real World Linux Security, 2/e” and what was it like?
It took about three months of 90-hour weeks to finish the manuscript and a few months of “normal weeks” for the post-manuscript production to produce the finished book. This was on top of about six months of 120-hour weeks to create the manuscript for the first edition and three months for production.
What was it like? Pure hell. I worked mostly at night because I am more creative then and there were no interruptions for email or phone calls. My friends thought I abandoned them because they never saw me and I kept sending my girlfriend away for weekends, camping, to visit her mother in Washington, DC, and elsewhere. My good friend, Stan Bootle calls it “Writer’s Widow”.
I slept very little. I did just enough for my clients so that they did not find someone else to help them. This obsession resulted in a much better book. I saw my contribution to Linux and Open Source was to help secure it. While Linux (and Unix) is capable of very good security, people did not know how. With my knowledge of security and some ability to write I saw this as my greatest contribution to Open Source. The book also is very useful to Unix System Administrators.
What’s your take on the adoption of Linux in the enterprise? Do you think it will give a boost to security?
Linux continues to “Eat Bill’s lunch” and that of the Unix vendors. With the desktop work that has been done recently and several Distributions’ work for easier installs, Linux is ready to take over the desktop market too. I think that the poor economy internationally has helped Linux.
Any old PC can run Linux quickly for no money and troublefree operation. The latter means far less support costs. Microsoft just announced that it no longer will support its flagship Office for previous Windows versions, to “force” people to buy its new stuff; I think many will switch to Linux instead.
SuSE just announced its Open Exchange product. There are several Open Source Linux-based clients for MS Exchange. Almost everyone has heard of Linux now. IBM advertises it on television. Non-geek friends want to try it.
What do you think about the full disclosure of vulnerabilities?
Full disclosure of vulnerabilities forces vendors to fix their security problems quickly and it counteracts the lies of insecure vendors that their software is secure. This seems to be why Microsoft is lobbying the U.S. government to outlaw full disclosure and Hewlett-Packard (HP) is trying to imprison someone under DMCA who disclosed HP vulnerabilities. It was disclosed only after HP refused to acknowledge the problem or repair it.
What are your future plans? Any exciting new projects?
Since finishing the book two months ago, I have created a Linux-based Enterprise-class Virus filter and Spam filter and installed them at various clients. I am finishing an article on a novel way to trace Distributed Denial of Service (DDoS) attacks so that they may be stopped much faster. I am growing my network security consulting business.
What is your vision for Linux in the future?
Linux will replace Windows and Unix as the universal operating system for everything from embedded systems and PDAs to the biggest systems. Linux’s Open Source nature and the peer pressure from its users will prevent Microsoft, IBM, or anyone else from forcing people to use inferior proprietary software again.
More governments will join China, France, and Mexico in officially preferring Linux over Microsoft for its better quality and lower cost of ownership. There is a Chinese edition of Real World Linux Security from China Machine Press.
People will have personal lives again rather than having to reinstall their Windows systems or retype their documents every weekend following crashes.