The Most Vulnerable and Exploitable Operating System Ever? Damn Vulnerable Linux
DVL is a great teaching tool for security
By Alan Shimel on Mon, 09/13/10 - 3:34pm.OK, put your arrows, stones and guns away please. I am not saying every version of Linux is the most vulnerable and exploitable OS ever. But Damned Vulnerable Linux very well may be. But why not, that is exactly what its developers want it to be.
The brainchild of Dr. Thorsten Schneider of Bielefeld University, DVL was designed to build up a training system that he could use for his university lectures. His goal "was to design a Linux system that was as vulnerable as possible, to teach topics such as reverse code engineering, buffer overflows, shellcode development, Web exploitation, and SQL injection."
DVL is made up of older and vulnerable packages like older versions of Apache, MySQL, PHP, and FTP and SSH daemons. There are also tools like GCC, GDB, NASM, strace, ELF Shell, DDD, LDasm, LIDa to help students decompile and reverse engineer some of the packages in the Linux distro.
DVL was made by people with significant security backgrounds from organizations including www.Reverse-Engineering.net and Crackmes.de. Also Dr, Schneider is also behind the TeutoHack group, which is the hacker lab at Bielefeld University.
You can download the 1.8GB distribution on ISO from here.
While DVL is a great security teaching tool, there is another lesson to be learned here. While we may argue until the cows come home about which OS is more or less secure, if you don't keep up with the latest versions and patches, no matter what you use it will be vulnerable. It is misplaced arrogance to assume any OS or application is above being vulnerable. Of course any time human beings are involved they can be the weakest link in the chain as well. But all software over time can become a security weak link if you don't keep up with the updates. So please update your applications and OS regularly.
Teaching security is very much a hands on affair. Having a teaching aid like DVL around is a great resource for anyone teaching security or wanting to polish up their security chops. If you interested in this you should give it a whirl. Just make sure you don't use it in a real life production environment by mistake.
- About Open Source Fact and Fiction
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise