Slashdot Mirror

PaxTech writes "Security Enhanced Linux is moving into the mainstream rapidly, bringing its implementation of mandatory access control to a wider audience. The agenda for the 2006 SELinux Symposium has just been announced, distributions such as Fedora are including SELinux in the default build, and ports are underway to bring SELinux functionality to BSD and Darwin. Security minded systems administrators should be learning about this technology as it provides another strong layer of security for Linux servers."

telstar asks: "Lately, it seems like an almost weekly occurrence: confidential customer data is exposed online, despite the assurance that security measures were in place to prevent such a problem. ChoicePoint Inc., LexisNexis, and DSW Inc. were all victims of online security breaches. Ameritrade and Bank of America both admitted lost physical data tapes containing confidential client account information. Recently, Carnegie Mellon notified 19,000 students, alumni, faculty and staff that their confidential information may have been compromised. An April 2005 GAO report found that though the IRS is making progress fixing security holes in systems that it operates, they aren't keeping pace with new vulnerabilities, risking exposure of sensitive financial data of the taxpaying population of the country. To top things off, these are only the cases that we're aware of, which begs the question of how many security breaches have gone unnoticed, or unannounced. What about companies like Google? As they expand their service offerings with GMail and Google Search History, where they are increasingly responsible for retaining client data, will they become a bigger target for attackers? This is the problem. What is the solution? Are there any tips for people to help protect their identity and confidential financial information? What firms go above and beyond the call of duty to ensure that their client data is secure?"

acz writes "The Hack In The Box Security Conference 2004 videos (Part 1 and Part 2) have just been released today via bittorrent. HITBSecConf2004 attracted to Kuala Lumpur some of the biggest names in the security community to present their latest research. John T. Draper AKA Captain Crunch was present and Theo de Raadt did a fine speech on Exploit Mitigation techniques. For a live performance, you can catch up some of the speakers and the HITB crew over at BCS2005 in Jakarta on the 23rd-24th of this month. If you're in the Middle East or Europe, there's HITBSecConf2005 - Bahrain taking place 10th-13th April in Bahrain. See you guys there."

linuxsecurity.com writes " This brief article outlines the history and story behind Linux Netwosix, a security-focused distribution that is still in early stages of development. Vincenzo Ciaglia, its Italian founder, gives the Linux community an update on how the project has progressed after 11 months."

carpe_noctem writes "Linuxsecurity.com has a link to a rather interesting story regarding Google's use of localized censorship. While not much information is given from the political side of why Google might be censoring information likely to annoy certain governments, it certainly isn't the first time Google has come under fire for censoring results on account of external pressures. Makes one wonder how many pages get filtered out around the world."

CrazyEd writes "LinuxSecurity is reporting that EnGarde Secure Linux has received the Network Computing Editor's Choice award to win the battle of the Secure Linux distributions. Well deserved, me thinks." Update: 06/10 15:16 GMT by T : An anonymous reader points out that Linuxlookup.com reviewed this distro last week, awarding it a perfect score.

neuroticia writes "linuxsecurity.com has an interesting article on data hiding and recovery: "On a 4GB Linux partition, the block size is typically 4K (chosen automatically when the mke2fs utility is run to create a filesystem). Thus one can reliably hide up to 4KB of data per file if using a small file. The data will be invulnerable to disk usage, invisible from the filesystem, and, which is more exciting for some people, undetectable by file integrity checkers using file checksumming algorithms and MAC times. Ext2 floppy (with a block size of 1KB) allows hiding data as well, albeit in smaller chunks.""

SirTimbly writes: "CNET is reporting that there is a buffer overflow problem with zlib in linux, which is used for network compression. Supposedly, someone could remotely cause a buffer overflow through mozilla, X11 and many other programs." The advisory from Red Hat is available.

bewmIES asks: "We just conducted this interview with Pete Herzog about Open Source Security Testing Methods over at LinuxSecurity.com. I was curious to know if anybody is actually using these standards. With the bad reputation most software has in regards to security, I think this is a step in the right direction. Somebody who does not know much about security can read a manual giving them a crash-course, and then a 'Security Q&A' type person can audit the software. In the real world I don't know how practical this is, but it would save a lot of the egg-on-face incidents due to a simple buffer overflow..."

bewmIES asks: "We just conducted this interview with Pete Herzog about Open Source Security Testing Methods over at LinuxSecurity.com. I was curious to know if anybody is actually using these standards. With the bad reputation most software has in regards to security, I think this is a step in the right direction. Somebody who does not know much about security can read a manual giving them a crash-course, and then a 'Security Q&A' type person can audit the software. In the real world I don't know how practical this is, but it would save a lot of the egg-on-face incidents due to a simple buffer overflow..."

bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.

bewmIES writes "I have written an article entitled Using GnuPG with Pine for Secure E-Mail. It explains, with detailed examples, all of the relevant steps to get pine configured with pinepgp using GnuPG. It is intended for the common person who does not need to know all of the details of the underlying encryption methods. This is the first paper in an "encryption for the common man" type series that I have going in my head :). Any comments/critiques are more then welcome."

bewmIES writes: "Dave Wreski of linuxsecurity.com and author of the recent netfilter article here on slashdot has written an excellent introduction to some of the latest security enhancements to the 2.4 kernel entitled Linux 2.4: Next Generation Kernel Security. He speaks about the future of crypto integration, new character and block devices, and has a very well-written summary of capabilities." Perhaps this will answer at least some people's needs for ACL capabilities in Linux.

bewmIES writes: "Dave Wreski of linuxsecurity.com and author of the recent netfilter article here on slashdot has written an excellent introduction to some of the latest security enhancements to the 2.4 kernel entitled Linux 2.4: Next Generation Kernel Security. He speaks about the future of crypto integration, new character and block devices, and has a very well-written summary of capabilities." Perhaps this will answer at least some people's needs for ACL capabilities in Linux.

A reader writes "Dave Wreski finished an article for linuxsecurity.com on the security improvements available in the new 2.4 kernel packet mangling/filtering" This is a fairly basic level newbie type article (assuming you at least have a pocketfull of networking experience) and is worth reading to bring you up to speed on whats new and exciting.

Much has happened in the world, some of it even worth reading about. For instance ... More on BIND and where it's headed regarding openness, licensing and other things; an update on Protozilla, and what is undoubtably not the final word on Linuxgruven, SAIR and company.

Why is there a lizard in my hard drive? chromatic writes: "The Protozilla team has responded to the earlier Slashdot article with answers to some common questions." This helps explain a lot of the questions raised in comments about why anyone would want or need to run CGI processes locally.Yet another win for documentation!

The ties that BIND make great cable-holders, too. fredpasteck writes: "LinuxSecurity.com has a FAQ from Paul Vixie that helps to explain some of the controversy and misunderstanding surrounding the ISCs creation of a 'members-only' mailing list. Perhaps the community was a bit quick in their assessment of what's going to happen?"

Do you feel reading Bugtrak makes it easier to talk to people? Speaking of BIND, to dispel any misconceptions which may have entered the minds of readers of this story (which cited the reaction of several Big Names to recent moves to restrict certain information about BIND), Kurt Seifried of Securityportal wrote to clarify:

I actually interviewed Vince/Theo/Dragos/Greg via phone/email seperately, they didn't post those things to Bugtraq. Although they are all Bugtraq users ... hehehehe. (that makes it sound like we're all shooting up heroin or something).

Let it not be said that Bugtraq is a controlled substance.

Stop kicking, stop kicking! A nameless shirker writes: "More 'clarifications' from Linuxgruven CEO Matthew Porter can be found during a recent discussion on the Kansas Linux and Unix Users Association(KULUA) mailing list. His answers were very evasive to what were considered very straightforward (if direct) questions. The beginning of his involvement in the discussion can be found here with follow-ups linked from that message. Other discussion on this topic before and after Porter's response can be found near near the bottom of the following archive thread page.

Just wanted to make sure everyone could see how "clear" Porter makes things in his "responses" to the questions he is asked."

Much has happened in the world, some of it even worth reading about. For instance ... More on BIND and where it's headed regarding openness, licensing and other things; an update on Protozilla, and what is undoubtably not the final word on Linuxgruven, SAIR and company.

Why is there a lizard in my hard drive? chromatic writes: "The Protozilla team has responded to the earlier Slashdot article with answers to some common questions." This helps explain a lot of the questions raised in comments about why anyone would want or need to run CGI processes locally.Yet another win for documentation!

The ties that BIND make great cable-holders, too. fredpasteck writes: "LinuxSecurity.com has a FAQ from Paul Vixie that helps to explain some of the controversy and misunderstanding surrounding the ISCs creation of a 'members-only' mailing list. Perhaps the community was a bit quick in their assessment of what's going to happen?"

Do you feel reading Bugtrak makes it easier to talk to people? Speaking of BIND, to dispel any misconceptions which may have entered the minds of readers of this story (which cited the reaction of several Big Names to recent moves to restrict certain information about BIND), Kurt Seifried of Securityportal wrote to clarify:

I actually interviewed Vince/Theo/Dragos/Greg via phone/email seperately, they didn't post those things to Bugtraq. Although they are all Bugtraq users ... hehehehe. (that makes it sound like we're all shooting up heroin or something).

Let it not be said that Bugtraq is a controlled substance.

Stop kicking, stop kicking! A nameless shirker writes: "More 'clarifications' from Linuxgruven CEO Matthew Porter can be found during a recent discussion on the Kansas Linux and Unix Users Association(KULUA) mailing list. His answers were very evasive to what were considered very straightforward (if direct) questions. The beginning of his involvement in the discussion can be found here with follow-ups linked from that message. Other discussion on this topic before and after Porter's response can be found near near the bottom of the following archive thread page.

Just wanted to make sure everyone could see how "clear" Porter makes things in his "responses" to the questions he is asked."

$kr1p7_k177y wrote to us regarding Daniel Swan's release of the comp.os.linux.security FAQ. It's what you'd imagine, but with the growth lately, this should be helpful tool. There's also an interview with him that sheds more light on the reasons behind the FAQ.

$kr1p7_k177y wrote to us regarding Daniel Swan's release of the comp.os.linux.security FAQ. It's what you'd imagine, but with the growth lately, this should be helpful tool. There's also an interview with him that sheds more light on the reasons behind the FAQ.

Dave Wreski writes "I recently had a chance to ask Vincent Rijmen a few questions about Rijndael, the algorithm soon to replace DES. He talks about the development of the algorithm, his thoughts on the future of Internet security, Linux and security, and more. He's a pretty interesting guy, and had some interesting comments. You can find the interview here"

Dave Wreski writes "I recently had a chance to ask Vincent Rijmen a few questions about Rijndael, the algorithm soon to replace DES. He talks about the development of the algorithm, his thoughts on the future of Internet security, Linux and security, and more. He's a pretty interesting guy, and had some interesting comments. You can find the interview here"

guido_sst writes: "Interesting article at LinuxSecurity.com with Vincent Rijmen, one of the developers of the AES-winning algorithm Rijndael. Has some background information on the winners and the algorithm itself, with some interesting links as well."

rwm311 writes: "linuxsecurity.com is running an interview with [Paul Vixie] and [David Conrad] about the ISC and BINDv9. It's a pretty good read. Vixie talks about his days at DEC and his motivation behind BIND while both Vixie and Conrad speak of the future of BIND - features they would like to implement and things that will be going away (such as nslookup)."

rwm311 writes: "linuxsecurity.com is running an interview with [Paul Vixie] and [David Conrad] about the ISC and BINDv9. It's a pretty good read. Vixie talks about his days at DEC and his motivation behind BIND while both Vixie and Conrad speak of the future of BIND - features they would like to implement and things that will be going away (such as nslookup)."

How secure do you feel? Occams Razor points to "A great interview with [Jay Beale,] the Lead developer, about the Linux Bastille project." Beale talks about the direction that Bastille has taken, and seems fairly pragmatic about the Linux security model and computer security in general. A nugget: "... to fully secure a system, you really have to grind it into dust, scatter the pieces to the wind, and hope that Entropy does [its] part. Since you can't do this, you make tradeoffs."