Wednesday, May 27, 2009

Hardlinks vs Softlinks?

Lately I've been devouring security blogs I find, almost to an extent where I'm trying to cut back because I find I am making excuses to put off my homework and studies just a little longer so I can read one more extremely interesting article. Not that it's really that bad, but it is something I enjoy doing tremendously.

Better get back to the topic of this post though: Hardlinks vs Softlinks. What prompted me to look more into this is a post on Command Line Kung Fu that talks about file linking. Paul started off talking about how to link files on *nix platforms, and then Ed comes back and talks about how windows doesn't have a way to do this.

This caught me way off guard. I thought "What about using fsutil to create a hardlink? For example, you could use something similar to the example below to create a hardlink to a file:
C:\>fsutil hardlink create newfile.txt oldfile.txt
Hardlink created for C:\newfile.txt <<===>> C:\oldfile.txt
My first reaction was that maybe Ed forgot about that command, but I quickly dismissed that notion. If anything I probably didn't understand why Ed didn't count using fsutil hardlink create as an option for creating links.

After re-reading the post, I noticed a special requirement at the beginning that said there should be only one original of the file(s)/directory. From what I knew about hardlinks and fsutil, new files that are hardlinks to an existing file also become "originals." This means that deleting the original file that hardlinks were made from will not make the hardlinked files useless. They each will still maintain a copy of the file contents and will still be linked to eachother.

After a little more research into the matter, I came up with several main differences between hardlinks and softlinks.
  1. Softlinked files create something more akin to a shortcut to a file. This maintains only one original file.
  2. Deleting a hardlinked file does not delete all other hardlinked files, and a file is never "fully" deleted until all hardlinks to it are deleted.
  3. Softlinked files are useless without the original file
  4. Hardlinks cannot be made to directories
  5. Softlinks can be made to directories
  6. Hardlinks must exist in the same filesystem
Also, it is not possible to create hardlinks to/from alternate data streams, which would be very interesting.

As it turns out, I was right in assuming that Ed knows what he is talking about :)

Starting Up

A recent post on pauldotcom talks about ways to get started in the Information Security field. This is an article I wish I had found when I was first trying to get into it. Right now, I wouldn't say I'm currently in the field (meaning I don't have a job that deals directly with Information Security), but I definitely feel like I'm well on my way.

Most of the points someone would figure out if they were relatively smart and had common sense. One of the points mentioned getting involved with local groups (linux users groups, hacker groups, etc.), which was something I hadn't really thought of before (even though it makes total sense) that might help me gain more experience with computer security. If school and my job would give me more free time, I'd like to look into this option more.

Monday, May 18, 2009

Teach the Students!

This is a topic that I feel rather passionate about. I am starting some research into the top universities in the nation to see if any of them require some knowledge of secure programming before allowing their students to graduate. My guess is that none of them do.

Earlier this year, I took an upper-level course whose main subject was ethics and computers in society. Each of us were asked to give a presentation on a specific topic of our choosing that fell into one of the broader topics we were to discuss in class. I quickly chose to talk about something in the scope of computer security, but had a hard time choosing a specific topic. I wanted to talk about something that could influence my peers to become more aware and security conscious.

My original ideas ranged from making my peers generally aware of what an attacker is capable of to some of the consequences of attacking or hacking an application/network. One day, I was perusing one of my school's sites and followed my habit of tossing text into a form that would make it apparent whether or not the inputs were sanitized. Low and behold, I saw an SQL-error message appear where the search results should have been! I explored the site a little more and discovered that the entire site was vulnerable to SQL injection. Later that week, I discovered more of my school's sites that were vulnerable. These revelations were shocking to me, for I knew that student programmers had made those sites. I couldn't believe they weren't aware of something as simple as SQL-injection. I thought to myself that at least some basic knowledge or awareness of some security principles should be required before allowing a student to develop a website. I then realized that the entire undergrad curriculum never includes anything on the topic of secure programming or making us "future-programmers-of-the-world" more security aware. My topic had found me.

I started off my presentation with some basic php code to select data from a database based on a user's search. I asked the rest of the class if they saw anything wrong with the code. A few (meaning two or three) of my peers noticed the code was vulnerable to SQL injection. The rest were clueless and watched in amazement as I demonstrated what was possible if user inputs were not properly sanitized. Realizing that most of my peers were completely unaware of SQL injection was quite a shock to me, for I knew that many of them currently held jobs as web programmers and had hoped that upper-level computer science students would be better than that. I ended my presentation by pointing them to CWE/SANS' top 25 most dangerous programming errors site and practically begged them to become more aware of security concerns and issues.

Since my initial experience with my peers' lack of awareness of basic elements of secure web programming, I have constantly thought that one of the greatest ways to increase computer security in the world is to teach the students about it and to keep them informed. In all of the curriculum that is required for a computer science major at my university, none of the courses talk about security concerns and secure programming. This should be a requirement for all universities and colleges that offer Computer Science, Information Technology, Information Systems, or other related majors. Having a requirement to learn about these subjects would immensely help solve many of the security issues present in our world today. Yes, we should continue to educate and inform current professionals in the industry, but I feel that a bottom-up approach would be the most effective and have the greatest long-term impact. As many others have already said, awareness is one of the keys to combating computer security issues.