Slashdot Mirror
Linux Distribution Security Reviewed
qbasicprogrammer writes: "Security Portal has a review on the security of Red Hat, SuSE, TurboLinux, and Caldera Linux distributions." Debian and Slackware are absent, but its a decent piece.
← Back to Stories (view on slashdot.org)
That's about right... for my home desktop, I'm currently using Mandrake 7.1 all sorts of stuff, easily done. Of course, it is hiding behind a (Redhat or BSD) firewall (along with my Windows boxen... Amazing what is up and running by default on some of these distros... BIND!? I can't imagine a generic desktop setup that *really* depends on bind running locally (not that it comes pre-configured to do anything anyway). There are a lot of things that, yes, you can remove, but sometimes the time/hardfile tradeoff is well in faor of avoiding the thousands of choices and just throwing it all on... not the greatest idea from a security standpoint, but for a default setup, that's what you get...
I thought I had a point... maybe not...
"It's tough to be bilingual when you get hit in the head."
I totally agree with the author's characterization of the Debian Corporation, how dare they try to sell such a terribly outdated system. I mean, if it's unstable do I want to install it on my computer? Don't even go there girl.
If I owned stock in Debian Inc. I would be demanding that the CEO be fired. How can Bruce Peren's cash those big checks without shame?
Clearly Debian Inc. is nothing compared to the amazing TurboLinux or the powerful Servers I've built with Mandrake. No proper e-commerce site can be run without KDE as the desktop powering the whole thing!
The current Slashdot moderation system is made by gay communists!
I'm going to be the first to say that it *was* a good read, and I'd like to see more of this. I'm sure that because of this review, someone will take the initiative and review other distros that weren't covered, so you won't hear me complaining like many others on here.
My suggestion for the next person who does this would be to explain exactly why and how you are doing the rating. Also, offer tips for those of us under-geeks that have yet to realize the full potential of Linux.
Security is probably my biggest beef with Linux, and I'm speaking from personal experience, not FUD that MS or any other company fed me. I got hacked within two weeks of an installation, and only one day after using IRC with the box.
I think that a similar review would spark interest for me as well.
And everyone knows that once you compromise a local account, getting root is trivial
This shouldn't have to be this way. At the very least, there is no reason to accept this situation. The OpenBSD crew pride themselves on the fact that no remote vulnerability, has been found in 3 years, and no local one in 2, I think. I am sure the BSD's would be mentioned more often on bugtraq too if hey had as many users looking for exploits as certain linux distributions do, but still... It's rarely (if ever) the kernel that leads to a root exploit, so you know who to blame.
Some of us on the SLUG (Sydney Linux Users Group) have had words with the author of this review, mostly about his treatment towards Debian.
Here is a section of the mail header of one of the author's messages:
Reply-To: "Kurt Seifried" <seifried@securityportal.com>
From: "Kurt Seifried" <seifried@securityportal.com>
To: [slug address removed]
References: [removed to protect the innocent]
Subject: Re: [SLUG] A comment on Linux Security Reviews
Date: Wed, 26 Jul 2000 01:36:25 -0600
Organization: SecurityPortal
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
--
"You take a distribution! Rename! Stamp CD's! IPO!"
- CmdrTaco, Geeks in Space, Episode 2 from 6:18 to 6:23.
"Chiswick! Fresh horses!"
Yes, Debian has not had a stable release for some time.
If you want cutting edge, you use the unstable branch. More than 'probably very useable' - it's more up-to-date than say RedHat because it's continually being updated (hence the name "unstable")
--
"You take a distribution! Rename! Stamp CD's! IPO!"
- CmdrTaco, Geeks in Space, Episode 2 from 6:18 to 6:23.
"Chiswick! Fresh horses!"
when you say "installed linux" don't you mean a linux distribution? Linux is only the kernel. Which distribution are you talking about? For a +3 post, it sure is clueless.
Lars -
You definitely need to go check out some security sites like bugtraq (securityfocus.com) and then think about what you said. Given that software is constantly being upgrades and patched (which can indtroduce new bugs) are you really sure that stuff is secure?
An yes, the only safe uncrackable configuration is to have your system welded shut in a steel box with no connectivity. Well, even that could be broken into with enough gumption.
Fsck cluebie moderators. I'll say what I want, offtopic or not. And fsck having to qualify every bloody statement just
why would the average user need to have their X windows session remotely available, have a webserver, NFS, FTP and X Windows font server?
;)
Almost all of them are turned off in a default install as of Red Hat Linux 6.2.
Yes, we have bugs, but we (at least try to) fix them.
This message is provided under the terms outlined at http://www.bero.org/terms.html
As for it being a year before woody ships with a 2.4 kernel, it may be a year before 2.4 is remotely stable. 2.4 may not even be feature frozen yet, despite claims to the contrary; Linus seems to be adding a new feature a week. IMHO shipping 2.4 as the default kernel in any distribution would be irresponsible at this point.
My Blog. Sela Ward can sell me long distanc
- 3.9: 16/7/99
- 4.0: 28/11/99
- 7.0: 27/4/00
- 7.1: 27/6/00
Compare to Red Hat:- 5.2: 12/10/98
- 6.0: 20/4/99
- 6.1: 26/9/99
- 6.2: 8/3/00
So you are looking at 5-6 months between RH releases, and 2-5 months for Slackware. Oops, looks like the reviewer was just a lazy fuckbag.reviewer.streetCred = 0;
40-50 characters? man... you really take yer passwords seriously...
let me guess, you use different passwords for every system?
tagline
... hi bingo
Beg root to make a new group every time some situation like this comes up?
Frankly, yes.
The concept of groups has no clearer demonstration of purpose than the example you've cited. Groups exist so that you can assemble a list of people who should be allowed access to a certain resource or set of resources (in this case, a file), and will deny access for anyone not in that group.
Adding new groups is not a workaround for your problem, it is the solution to your problem.
If you want to debate the merits of having one centralized group list that only the superuser has access to, that's another issue entirely.
We're only including Windows 98SE and Windows 2000, and we're leaving out Windows 95 and 98 because, let's face it, they're 2+ years old. RIDICULOUSLY SLOW RELEASE SCHEDULE.
If they were reviewing (sp?) Windows, i think it would be proper to only review the latest versions. I dont know what version of the linux kernel was out 2 years ago, but i presume is was 2.0.x or 0.x. Do you want them to review these? No. So what are you complaining about? They only review recent versions of products?
Mark Duell
Not true...
It's on the download-able ISO image.
Just configure it to point to ftp.redhat.com instead of priority.redhat.com.
It works. Just be aware that at times ftp.redhat.com is busy and you won't be able to connect.
I'm not too fond of the program, but it automates the process, painfully, but it works.
You buy a house, the doors and windows come with locks, but it's still your responsibility to lock the door when you go to the grocery store.
The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
I hadn't heard much about capabilities or ACLs for quite a while and thought LIDS was just an intrusion detection system. This is a handy bit of information.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Finally! The first real use for the blink tag! Give this guy a prize for being the only person so far to find out a reason for its continued existence. :-)
Now all we have to do is convert the manpages to html or add a blink format tag to groff.
--
Friends don't let friends misuse the subjunctive.
Except they're missing the point.
What kind of a system administrator would settle for a default install? What kind of security department would ALLOW security holes to stay open? Sure, it's part of the vendor's job to make sure their product is up to par with what's expected of them, but ALL of the responsibility does NOT rest with the people who put together the distribution!
A Detail Oriented, Security Concious, Responsible SysAdmin is 90% of the equation.
And by not reviewing all relevant distributions, they're putting their 'review' on a slant. That's like saying "We're reviewing Windows security. We're only including Windows 98SE and Windows 2000, and we're leaving out Windows 95 and 98 because, let's face it, they're 2+ years old. RIDICULOUSLY SLOW RELEASE SCHEDULE." Bah. If you're going to take the time to write something like this, review ALL major distributions. Don't pick and choose your review candidates because (rightfully so) it looks like you're playing favorites.
I for one, am a very happy Slackware user, and have been for years. Needless to say, I was quite disappointed to find a lack of a Slackware review. (Slackware is quite a secure/stable distro, by the way.)
I haven't played with Debian too much to know a lot about it's implementations and security, but I can imagine Debian users feel slighted by this as well.
(My solution to the distro war? Use whatever you like. It's pretty simple, really.)
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
It's obvious that you are not aware of the meaning of the words "stable" and "unstable" as they relate to Debian. Slink is "stable" because it's packages do not change much (Slink has been updated for security reasons and Y2K stuff, that's about it). Woody is "unstable" because it's packages get updated frequently (like, every day).
Yes, it does look like Potato will be released just before 2.4, so it will miss out on it initially. However, it will probably contain 2.4 in a future minor release (like when 2.4 actually gets released). There shouldn't be much to it -- I'm running 2.3.99 pre8 (okay so it's a little old) on a stock Potato system with no upgrades required from when I was running 2.2.
It's interesting that you make a comment here about the services that are active in a default install ("OpenBSD, secure by default, requires the admin to do things to make it less secure"). Your article did not touch on that issue at all.
You'd get to sleep all of your 8 hours if only you installed Debian on all 6 of your linux servers. apt-get - the greatest system administration tool ever.
--
"You take a distribution! Rename! Stamp CD's! IPO!"
- CmdrTaco, Geeks in Space, Episode 2 from 6:18 to 6:23.
"Chiswick! Fresh horses!"
And, how many people new to Linux are even going to know what half those services are? I bet most will leave the default settings because they don't know what will happen if they change them.
It's a different kind of reboot, and a different sequence. Instead of edit config, reboot, edit config, reboot, it is edit config, edit config, test config, and finally reboot to ensure that everything comes up right after the next long power failure, when you have forgotten what you wanted to do. Think bringing up an ethernet card manually with ifconfig and route on a server in a far-off location.
Any holes that are found are put into stable. Basically, you can install from the original CD of the current stable, without ANY security updates, and then right after installation do:
[root@host] > apt-get update
[root@host] > apt-get upgrade
And at that point, you're done. It will fix all known security problems.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Yeah, he's an expert, which is why he uses Microsoft Outlook.
--
"You take a distribution! Rename! Stamp CD's! IPO!"
- CmdrTaco, Geeks in Space, Episode 2 from 6:18 to 6:23.
"Chiswick! Fresh horses!"
Figures. ;)
The author is trying to find an objective metric for security, and unfortunately for him what is easy to measure is not particularly relevant, and what is relevant is extremely difficult to measure. Without actually knowing much about Debian or Slackware, I would expect either to be more secure than any of RedHat, SuSE, Turbo, Caldera, Mandrake, Storm, because of an emphasis on doing it right rather than having the latest and greatest.
Think of new bugs as exploits that require zero effort on the part of the exploiters.
So you've just installed your favorite flavour of linux on your home box (as opposed to your home box office. That would be a much more impressive feat, and will give a special prize which is not an angry weasel to whoever can do it first), figured out all the ins and outs, worked some ppp magic, and are ready to tackle the rest of the world! Best make sure the world won't tackle you back!
Now, I know you're thinking "why would a cracker or skript kiddie attack me? what do I have?" Security is just for NetAdmins and big corporations, right? Wrong-o, buddy. You have many things that are just what a potential vandal might want, be they software bits, personal information (/. login cookies, for example), or just distributed processor power for the next big dDoS attack. So it'd be a good idea to keep the baddies out, right?
I'll admit, I didn't start the guru that I am. I've been attacked, and one time, actually cracked. And I didn't know it for weeks. The malicious bit of code sat running a process on my desktop, and I didn't even think to question it, as that this whole enuichs thing was pretty new to me. But eventually, as I came to learn more, I saw what happened, and how they got in.
Silly me, I didn't think to shut off access to port 647284a-3. As you're by now well aware, that's the port that listens for transmissions from the Daemon Quarlakath. Not really an issue most of the time, as that in order to summon Quarlakath, the attacker needs to slaughter the third born black goat under a Summer Moon. So, like linux security, you get one shot, and one shot only! You also need to chant several passages from the book of Lizzaft, in the original Tongue That Cannot Be Spoken. Last I checked they weren't giving classes in Tongue That Cannot Be Spoken in your averate Community College! So I didn't bother with port 647284a-3. No big deal, I thought, that'll NEVER happen.
And of course, it did. Once I understood what happened, I had to get that malicious daemon OUT of my system before it started a dDoS or slaughtering first born children or giving me a charley horse. So I did what any fledgeling Systems person would do, I summoned Taccatha, the Warrior Angel and sworn enemy of Quarlakath. And lo, the battle inside my box raged on for three weeks. When it was finished, Taccatha was victorious, and Quarlakath was banished to the Sulpher pits of Analorp from whence he came. But, of course, I had to pay Taccatha tribute for his service, and I'm still washing the blood of The Thousand Serpents off my walls. For such little things you'd never guess that they'd bleed so much.
So until next time, trkwjjoi hrrwompt snki!
Bad things often happen to good people,
It is up to them to see that they remain good.
Strong agreement. ;) /etc/group, root would not have to be constantly bothered added and deleting members. Re NT's ACLs, I was fuming for a few days after I discovered that groups and users cannot have the same names. ;)
Assume a lot of files in the group, scattered in several different directories, folders, or whatever they are called, and now add members or delete members, and just try to remember where all the files are. Should make for some very anomalous results.
RedHat, mayby other distributions, creates a group with the same name as a new user. To handle group membership, create a user with same name as the group. With some mechanism so that the user can effectively edit her/his one line in
Hmm. That should read "any fixes for holes that are found...". We don't want to be putting holes into stable :)
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
...but this article is very unfair to the
;)
major non-commercial distros. I can't say
what Slackware's security is like since I don't
use it, but Debian really gets the shaft...
and undeservedly so. Kurt seems to go on the
notion that any distro which ships software that
hasn't been reved in 6 months or more is
insecure. So in his eyes, Debian is not secure
due to the long release cycles. I find that
to be quite the opposite. Special apt-get
security mirrors, security mailing lists, and
patches that are usually available a couple of
days after an exploit is announced....Debian
does pretty well IMHO.
And it doesn't hurt that they don't ship with
sendmail as their default MTA.
I've offered to write an article for
securityportal on how to secure a Debian box from
remote exploit, but I've not heard back from
Kurt yet. I suppose he isn't in control of article
submissions tho. They'll be suprised to see that
the article is pretty much:
apt-get remove rsh
apt-get install ssh
apt-get install portsentry
apt-get install aide
apt-get remove telnetd
apt-get remove ftpd
edit a couple of config files and reboot. Of
course, local exploits are a whole nother story.
That's true of most Unices tho...except for OBSD.
Anyway, anyone who hasn't used Debian...don't
let this article turn you off to it. I don't
think Kurt has really used Debian very much.
I don't see how he could disregard it like that
if he had. Disappointing from someone who writes
the LASG.
IMHO, of course.
I got moded up, then down.. must have been a ZDNet writer me thinks..
Why didn't the author even mention up2date (the Red Hat RPM update agent) or corresponding utilities in other distributions?
A great many of his arguments evaporate when these automated utilities are considered.
The Windows users maintain their own machines as well, and they're really the users who need the most draconian control.
Except that the Windows model is one of end user system administration.
Mot only is central administartion of Windows machines hard this is also one of the factors working against replacing Windows.
GNU/Linux. The Freshmaker.
Photoshop is an application. Bind is not really an application, but a system service. In more traditional OSs, stuff like bind and other system services (directory management, ftp servers, etc) come with the OS, and are supported by the OS vendor. If bind on your Solaris box has a problem, (assuming its the bundled bind) then Sun HAS to support it since its THEIR application (and in this case THEY wrote it.) However, in Linux, the writers of these low level system services aren't the distro company, but some independant author. In that case, the distribution manufactuer has to support that piece, because even though they didn't write it, people are used to getting support on things seen as part of the OS distribution from the OS distributer. Linux comes with a lot of software, and I'm not saying that they should support it all. However, most people can figure out that GIMP isn't a part of the system, and go towards the appropriate support. But stuff like bind, gcc, ftp and telnet daemons, sendmail, etc, that are usually supported in the case of other OSs, (for example Microsoft supports problems in IIS, or Sun support problems with their ftp daemon) should be supported by the distro maker.
A deep unwavering belief is a sure sign you're missing something...
I'm puzzled about your comment on FTP. Why is anonymous FTP somehow not as bad as FTP with passwords?
If the only way to FTP files off the system is non-anonymously, people have to send passwords in plain text. Anonymous FTP doesn't have the risk of giving away passwords, the worst that can happen is that somebody exploits a buffer overrun (or similar) in the FTP server - and that server is chrooted, right?
I agree that FTP is generally worth disabling, but why pick on anonymous, when it's the non-anonymous kind that lets sniffers get hold of users' passwords? (You could have separate FTP and login passwords, but that's not the default setup.)
-- Ed Avis ed@membled.com
People don't have time to check with the maker of every program in the distro. If there's a problem in Solaris, I know I can just easily to go Sun and ask about it. Or I know that if a security hole is found, it will be on Sun's website soon as its discovered. People expect the same of a Linux vendor. (Hell, even MS takes responsibility once they want to admit a security flaw.) They don't expect to root through all the different vendors, and they really shouldn't be expected too. After all, the vendor IS selling a seperate OS as far as most people are concerned. It certainly is a seperate product, and the vendor is responsible for the product in its entirity. Some vendors do that job better than other.
To put it into perspective, what would you say if your computer's RAM went south and Dell told you to go ask Micron because they're the ones who made the RAM? I can hear to obsceneties now.
A deep unwavering belief is a sure sign you're missing something...
Securing a system does not mean checking the bug lists and applying the appropriate patches, or by throwing in a buzz-word Firewall. Although that is an excellent start, You can see the big difference with NT and OpenBSD.
NT has a decent security model. But Microsoft's goals with NT is functionality, not security. So with file permission defaults such as Everyone: FULL CONTROL and Exchange KM Server Admin passwords being "Password", it's not hard to see that M$ wants Admins to have an easy job. Everything works, but it ain't secure. Although one can configure NT to be secure, it will take many hours of work and tests.
On the other side of the spectrum, consider OpenBSD. Paranoid? Obviously. Everything's off, users have no access to anything, users can't su unless they're allowed. Here, security is well taken care of, but the admin's big job here is opening up the system so users can get some functionality.
Then put Linux in the middle. A relatively secure OS, with (as most distros) almost all daemons running without even asking for them. Shut off sendmail, wu-ftpd, httpd, etc, and boom, magnitudes more security.
Then consider the admin who uses the root account straight through telnet. One co-worker I knew does this on a regular basis, then brags that he's never been cracked!!! Patching bugs is the easy part...
--
You are a fucking moron.
Crackers don't always compromise a system for content. Off the top of my head I can think of several reasons why a cracker would dive into a machine that had NO user files on it.
Tell ya what. Why not post your IP address to a major cracking site and say "I've got nothing you want, so I'm safe, right fellas?" Stand back. Wait 30 minutes.
/// Not a super-genius . . . yet. ///
On top of what that other person said, WebStar is a fully functional webserver...
I burned the cd from the ISO so I had no manual. Maybe it was on the cdrom, or the website, but why isn't it in the install? That's the most important place for it. Is it so much to ask that I see it right there when I am installing?
Don't spend all that time enabling ssh and securing your box, and then just give everyone the password, and let them write all over your web pages? Is that tip in there? :)
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
What exactly does the "Welcome Crackers" setting do? I mean what does it turn of? ... Oh, wait. Never mind, I didn't say that. My box isn't on that setting. Really, its not... You can't get an IP from a /. posting, can you?
A deep unwavering belief is a sure sign you're missing something...
Figures that the distribution I like the most is not listed. oh well.
it is key to remember that no system (not even OpenBSD) is completely secure. paranoia is the key.
Yeah, but you still need a raw percentage of servers to give an estimate of how likely a given server/OS is to be cracked.. Eg, the Netcraft monthly totals.. attrition only gives the number of cracks..
Let's see.. NT accounts for 65% of the cracks, but only 20% of the market.. Unix-only webservers account for almost 75% of the market, but only 29% of the cracks. That only makes NT 8 to 9 times more likely to be hacked. (I discarded the other 6 percent as the error percentage, hence the range.)
Apologies to Microsoft; Their product sucks, but it isn't as insecure as I stated!
.sig: Now legally binding!
Most reviews only focus on the ease of use, configurability, etc... of a distribution. So far I have seen very few that focus on the security of each one. People might choose a review based on how easy it is, get completely [cr/h]acked, and hate linux. When choosing a distro, I think security should be top priority.
There are numerous cases where newer software packages have introduced new security hole.s For example, Pam added some features, and in the process, added a new local->root hole. When the ISC added a new feature to BIND, the new feature had a, you got it, remote root hole. The capability features to the 2.2.x kernels added new security concerns. And so on.
To say that Debian is insecure because it has not had a major update is just plain silly. Does he also think that OpenBSD is insecure because it still uses BIND 4.x instead of the latest and greatest Bind 8.x? For the record, I am a RedHat and not a Debian user.
The article also did not look at things like "How many services does this distro run out of the box?".
- Sam
The secret to enjoying Slashdot is to realize that it should not be taken too seriously.
I'd like to see an approach more on par with the *BSD crew - disable everything by default and/or make it the most restrictive. That way, if a user wants to learn to do something they'll read the man page or the manual and learn how to do it AS WELL AS what the risks are / how to properly configure it. This is much more in line for both neophyte and experienced users as you shouldn't be running something you don't know how to use on a public network like the internet.. you're just gagging for it then. :/ Just my $0.02.
You're basing your opinion of a distro on how well it upgrades from one version to another? All the distros I've ever used, FreeBSD included, have warned against upgrading, as many use a brute-force method and are not advisable. Do what everyone else does: back up your important files and install from scratch. This also has other benefits, such as the ability to try out new filesystems in the process (ReiserFS under Mandrake 7.1). You really should re-evaluate your basis for opinions. Except for a couple of issues with terminals settings and a few strange defaults, Mandrake is really the hottest thing under the sun.
Interested in open source engine management for your Subaru?
(Yet Another Statistical Security Story)
See it was just a bunch of charts and graphs, I skipped to the "conclusions" section and found the following item: "All the major vendors have improved over time. That is to say, the number of updated packages released for security reasons and not just "normal" upgrade activity is decreasing, which suggests decreases in the number of security flaws."
Yes, that's right, the author finds that the number of updated packages is decreasing and concludes it's because security is getting better. If IDC released this report with s/Linux/Windows run against it we'd be all over them like green on grass.
Nothing to see here.
--
Give us our karma back! Punish Karma Whores through meta-mod!
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Any Linux 2.2+ (with ipchains) is more secure than *BSD. Unfortunately, the BSD ipf utility doesn't work prorperly. It gives an ioctl(SOIADDR): Bad file descriptor error and tells me that my device is not configured. (What device! I've been on the internet with the darn box!)
Therefore, no matter what distribution of Linux you run, be happy in the knowledge that BSD is less secureLinux distributions keep getting treated as seperate operating systems, released by seperate vendors. Most security holes come up in the services which systems run, not the install packages used to install the systems. Like, what use is it to talk about vendor bug reports? There may be no bugs in the vendor's software, but there may be tonnes in some of the software bundled. I dont know about you, but isnt it the application authors that should be posting bug reports for their apps? Sounds like a better source of info to me. Personally, I run debian, the default install comes with no services, except maybe portmapper (i dont know why they include it in netbase, it should be it's own package really). I mean, they should compare, just to be funny, redhat and others like it, to debian's unstable distribution. I'd say maybe 5 packages are updated a day? sometimes more? hehe. That's a pretty quick bug fix period, and it's on the bleeding edge. Linux dists just dont split along the seperate product division that people keep trying to divide them long.
I beg to differ on that point. As one who follows Slackware development very closely, there is almost always daily changes to the ChangeLog. These fixes typically consistent of either upgrading a package to a more recent current version or fixing a security bug (a more rare occurence).
Just as with every other distributions, Slackware stays on top of new developments and security fixes. The main version may not increment as often (it typically jumps two or three times a year), but it is nowhere near backward or slow as the reviewer seems to imply. Check out Slackware's main site for evidence of my opinion.
"Red Hat isn't a distro for the people who want the latest and greatest updates as soon as possible."
You are suggesting that it would be good policy to delay security releases because some users might not want them? Even Microsoft doesn't use this argument...
--
Give us our karma back! Punish Karma Whores through meta-mod!
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I use Outlook too. Notes. It's called a corporate standard. Then I go home and use Pine and Netscape Mail. Your point? If my workplace insisted I use FrontPage for webdesign (thankfully, it doesn't!), does that ruin the credibility of my freelancing as a webdesigner?
Open Source. Closed Minds. We are Slashdot.
Red Hat isn't a distro for the people who want the latest and greatest updates as soon as possible
It isn't?
ISTR that it was one of the first distros to make the change from libc5 to glibc, and it was very early with a.out->elf also.
My experience with RH is that x.0 contains a lot of new and beta stuff, x.1 has a lot of bugfixes and x.2 is very decent.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
No you can sell the application as normal, you must make the source available. Furthermore you can't tell the person you just sold it to he can't give it to his friends.
Good Grief are you looking for something the disagree with that you will perposly miss understand something?
No where did they say that ity would be delayed cuse its not wanted, they said it would be delayed cuse what was wanted, was a Well TESTED security releaces, thet thay dont have to be install 'service packs' ever other week.
--Rogue, who's existance has yet to be disproved
On 3 - do you know who the author is? He's written *the* most comprehensive guide to securing Red Hat that exists... (it's also generic enough for most distros)... He could probably claim - accurately - to be "some sort of Expert"
Open Source. Closed Minds. We are Slashdot.
Ridiculously slow release schedules??
The release schedules are not ridiculously slow, only relative to Linux distributions. Other OS's wish they could compete like that; Windows gets releases of its consumer version every three years or so.
And besides, what do release schedules have to do with security? Do they make D&S better? Worse? Unfair? Why?
I know people who would argue both ways.
MYTH: slow releases mean security bugs stay in longer
FACT: Debian (probably slackware too) releases package updates as quickly as any other distro when it comes to newly discovered vulnerabilities. Check http://security.debian.org (by the way those exploits on the page now are global, not debian-specific)
I know people (not me) who also feel that your system is more stable when you don't upgrade with every new version that comes out. This is the same thing, and I partially agree, to various extents depending on the circumstances.
What I don't understand is why this insigniicant difference in market strategy invalidates these two distributions, and why the author chose to disclude them. I also think the "ridiculous" needs some explaining... can we moderate articles "Flamebait"?
# debian/rules
... and is more secure, too.
(but he has a nice website and security guide on the LDP)
Sorry. I couldnt resist on this one.
=)
- about me
Comment removed based on user account deletion
okay, what software does it include? most holes occur in third party software... who cares if its secure if it doesnt really do a lot?
Apparently a lot of people disagree with you, or rather think the security merits of OpenBSD are vastly outweighed by the performance and features of the other free unixen.
Remember that story about Fortune 500 companies running only NT? Well, I ran a similar test on the sites on the Hot100 list. OpenBSD did not get a single entry in 120+ URLs (some entries had more than one URL listed). Linux got 17%, FreeBSD in the low twenties, and Solaris took it home with over 40%. There were AIX, IRIX, BSDI, and NetBSD, in the sample, so you really can't say the results weren't spread out.
.sig: Now legally binding!
Listen up Zik, cause I'm only going to say it once. Your actions are FAR beyond repair as it is, do NOT go making it worse for yourself by whining about it. I have the fucking logs, and whose IP do you THINK is on them? No, you don't have to think about it, DO YOU? We've put up with your shit long enough, and don't say we weren't open minded and didn't give you a chance. You were FAIRLY tried before the tribunal, and had PLENTY of time to put up a defense then. But you didn't. You said you accepted the judgement, and what do you do, YOU GO AROUND BITCHING ABOUT IT. You know the consequenses for such childish behaviour. The Troll Collective will not, should not, and CAN NOT let such foolishness continue. You have four days to submit your apology before the tribunal, or consider your "resignation".
Enough is enough indeed.
Bad things often happen to good people,
It is up to them to see that they remain good.
You wanna play with the scripts, you gotta have the OS. And if you don't know shit about DBMS's, go take some crackpot CS course at your local community college. Even the $6 dollar-an-hour "professor" there knows more than you do.
Query: Why would you *want* to?
Keep in mind that the Unix security model, which is damned good by the way, assumes that the machine's owner (root, anyway) is God. This is not a bad thing.
I challenge any slashdot user to name one configuration that can not be accomplished with Unix security.
/etc/group that has exactly us in it.
I have a project that I work on with three other students/employees, with files stored on a University/company system. I want to make my files read/write for just us four, but there is no group in
What do I do? Make three hard links to each file, with different permissions on each one? Beg root to make a new group every time some situation like this comes up? Those are workarounds, not solutions.
Unix follows the first rule of security: Simplicity!
Translation: "I only use Linux". Commercial Unices have had ACLs for longer than Linux has been around. There's a Posix ACL standard API, in fact, which one or two beta extensions to the ext2 filesystem allow you to use in Linux.
Actually, the newest release level of slink has a 2.2 kernel as well.
Mandrake and Redhat now install (or offer to install) MD5 password protection during the install (I seem to recall that it's been an option in Debian for quite a while, too.) My original passwords were not succeptable to dictionary attack but may be succeptable to brute force attack. I consider my current pass phrases to be secure enough that they'd never be broken in any period of time, brute force attack or no. Typing about 40 or 50 characters for a password might be kind of a pain in the ass, but by God it's secure!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Bastille really goes nuts with locking things down. It should be shipped with every release of RedMr.Hat.
RH is good for keeping systems similar, and is the currently favorite for commercial applications. Of course, no solution worth its salt would rely on one level of security, and would definitely not rely on having RH on its most outside layer - that's just asking for trouble!
Deinstall everything that's not needed, and lock down everything else. Then run Bastille. While this isn't the perfect solution, performing these tasks reduce the chance that someone will find a hole..
I'd just like to nitpick on their definition of who's an early adopter. Recently, Suse and Mandrake have been much more agressive about introducing new features than has RedHat. Currently, Suse 6.4 comes with both ResierFS and XFree 4.0. Mandrake 7.1 does as well. However, RedHat has neither.
A deep unwavering belief is a sure sign you're missing something...
Now the problem is that Caldera and most other distros automatically leave all services on.
:)
Disclaimer: I work for Trustix, so I'm obviously biased and completely untrustworthy.
This is exactly one of the reasons why we made Trustix Secure Linux.
The most obvious changes compared to a normal distribution are: remove all cleartext services if a secure alternative is available (telnet/r* vs openssh), include secure configuration defaults for services, don't run any network services by default and only include the packages that you need on a server.
For those interested, the full mission statement is here
Mailinglists available here
Distribution available here
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
... and he missed that by excluding Debian completely from his analysis. Debian does make security patches to their distribution on a timely basis. The Debian folk also run one of the better Linux security sites (mentioned previously, security.debian.org). The fact that, if I install Debian off the network, I'm getting not just "stable", but "stable patched", means that by excluding Debian, he flawed the entire study.
That would be because Malda has a personal hatred of Caldera. Anything related to Caldera on this site must be be scorned.
I use Debian on several company firewalls here, because of the ease of keeping it up to date. We can't afford a real admin for these boxes (charitable org), and having apt-get with security sources in the apt source list makes patching holes a breeze.
I have to say, also, that the authors dismissal of Debian and Slackware seem like either he didn't research those distros, or was too lazy to try and compile the information to his 'metrics' about them.
"Vendors need to make hardening scripts available (or support existing ones like Bastille Linux), and tell the users to use them--something like the default email that OpenBSD sends to root after a new install, telling root to read "man afterboot.""
"Vendors need to turn stuff off and make users enable it, or, during install, make users aware of what they are doing (similar to SuSE's "Do you really want to turn inetd on?"). "
On my first entry into Linux, I installed Caldera's OpenLinux 2.3. The reason for this is that I had done some research and found that it was the only distribution at the time that autodetected the Voodoo3 video card I was using. I ran it for a while and was very happy, some annoying problems in that most software and drivers released for linux are now designed for RedHat, so the files that they looked for were in the wrong place. So I had to make a lot of symlinks, etc. Big deal, standard linux installation garbage that everyone has to deal with.
Then my box got root compromised. The cracker/script kiddie had used one of many buffer overflow 'sploits, along with a RootKit to get on my system and hide his tracks. The way I found out was that I chose to use a graphical login, which displayed as icons all user accounts (which i believe RedHat did not have at the time. the root exploit script the cracker used was designed for redhat). I found out that many of my files had been trojanned, and that I was basically going to have to wipe the drive and start over.
Now the problem is that Caldera and most other distros automatically leave all services on. This includes the infamous wu-ftp daemon, among others known to have security issues. If there were a simple dialog at install about which services the user wanted enabled and which disabled, I think the linux market as a whole would be much more secure. But then, now I know, and knowing is half the battle.
---------
"He's more machine now than man, twisted and evil."
"OpenBSD, for example, has found hundreds of holes during their code audit, in code many other vendors are using, but no one seemed to care. These discoveries could have headed off many problems."
I think this brings up a very important point concerning Open Source development. Why contribute fixes to other venders of whom you are currently involved in a flame war with? Its a case of "My Open Source Project/License/Fork is better than yours"; 'BSD vs. Linux; QuakeWorld Project vs. QuakeForge (for a while anyway); My dad vs. Your dad.
I'm sure that this is not everybody's position, but certainly its enough to cause Anonymous Coward to have a flipping freak out session on Slashdot every time the issue is brought up.
Its really to bad, for the sake of secure software everywhere that these fixes be shared and implemented.
Yeah.
I mean, what's with all these "rules"? Did we fucking vote you into power? I don't think so! And that "training sid" is just insulting! I'm sorry we can't all be as cool and funny as the mighty GNARPHLAGER! Spam is funny, too. You just don't get the joke.
I know there are people on my side! You just wait and see. I'm not bitching, I'm gathering my forces!
YOU'RE A PATHETIC SACK OF SHIT AND I FOUND YOU OUT! DID YOU REALLY THINK YOU COULD HIDE THE TRUTH FROM US FOR VERY LONG? WHAT YOU'RE DOING IS PATHETIC. GET A FUCKING LIFE, MOTHERFUCKER. IF FLAMING IS SO IMPORTANT TO YOU, THEN TRY PLAYING DIABLO II INSTEAD OF RUINING THE COMMENT SYSTEM FOR ALL OF US. I HOPE THAT TACO FUCKING BITCHSLAPS YOU.
Excuse me for yelling, but this so fucking pisses me off that there is no way I can say it gently! SLASHDOT IS FALLING PREY TO A LAMER MAFIA
Let's review the facts:
- The new slashdot site allows logins. The intelligent posts are nowhere to be seen... for a while.
- Around the time of the intelligent post's "return", anonymous cowards start first posting.
- Trolls get accounts to harvest karma.
- Anonymous posts are inexplicably moderated up.
- Intelligent posters give up and start trolling and getting karma, since the trolls have hosed the system.
- Slashdot almost admits how lame it has become.
- Enoch Root and Signal 11 stop caring about the karma and just try to post; but the ACs don't let them.
- Weird conspiracy theory references start popping up.
The truth is quite simple:
At some point, the assholes who were posting anonymously initially got tired of getting moderated down, jealous of anyone with a karma in the viscinity of 35 (Judging by their posts.) Realizing this was stupid, they decided to get karma, either on eBay or by posting intelligently (though I have found no trace of this), or on a hidden sid (perhaps Rob can check it out?)
The victim was Signal 11. Signal 11 is now, in effect, his own Lamer magnet! Also vulnerable is the Enoch Root account, who gets as many flames as the Signal 11 account and gets as jealously moderated down whenever possible.
These pathetic excuses for human beings deserve to be bitchslapped for abusing the system like this. Please, Rob, if you're reading this, BITCHSLAP THE ANONYMOUS COWARD, AND IF POSSIBLE, THE TROLLS WITH LOGINS. Everyone else, please flame stupid posters whenever possible for being such pathetic whiny lamers. Finally, mail Rob to tell him that you are as disgusted by this as I am.
I am not posting this anonymously, because I actually believe content is worth something on here, and I don't want to lose it all to the Anonymous Troll LAMER MAFIA.
In case you didn't know, moderating posts as 'Overrated' doesn't appear in metamoderation, so is used to confuse newbies who don't know how the system works.
And to the Trolls and the ACs, for doing this: fuck you. All of you. You make me want to puke. You might think this is all a game, and I take Slashdot too seriously. Perhaps. But what you did is still pathetic and very, very sad.
A (rightfully so) Slashdot User
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
It looks to me like the author simply decided it was time to have Fun With Graphs(tm). All he did was look at the number of security fixes different distributions have. What does that prove? If a distribution has a gaping security hole in it and it was never fixed, it would end up looking better by the standards of this article. Nowhere is it taken into account what percentage of security holes were actually plugged with these fixes, how long the fixes took, or how serious the security problems are. Furthermore, if a certain distribution goes a long time before being replaced with the next version, then it's likely to have many more fixes. Does this mean it's insecure? Of course not! Why would it?
Which brings us to the issue of Debian and Slack. The author probably ignored them for the very reason I mentioned above, but that's silly. In my opinion these two distributions (especially Debian) are among the most secured Linux distros out there, in part because of their slow release cycles. If they don't try to instantly cram every new feature into the distro then they have more time to make sure that everything in there is working. It's outright foolish to completely ignore these distros in a security analysis, but then this article isn't much of an analysis anyway. Maybe it's for the better.
I am not an idiot. Please use my name to email me.
"That's right, I'm quoting myself."
-Upsilon
"making sure you download the right RPMs."
:)
you mean DEBs
Power-hungry clique? I think that we have the power. Even Signal 11 admits that. Look at my user info for the quote. We're not holding you to anything. If you can't take the trollslap, don't come here. Go find some other board to troll. Until then, this board is ours.
is *MUCH* easier than the serpent sacrifice!
try { do() || do_not(); } catch (JediException err) { yoda(err); }
well... if you can get a hold of the /etc/passwd file (shadow file, if needed) most of the passwords will be yours in relatively short order.
Repeat after me - if someone has access to your encrypted password file, you are already screwed. Implementing insane password policies can help this, but the encryption will only slow down a crack, not make it impossible.
Its similar in NT land, too... If you can get at the password hash, you /will/ be able to get every password... Its just a matter of time.
Lesson? Make an insane password policy - at least 8 characters, incude mix-case, numbers and symbols. Use shadow passwords. Have a backup root account.
and be paranoid
tagline
... hi bingo
oh, sure, if ping-flooding is "attacking", then yeah, we can't touch you.
But we know where you live. Remember that. You're part of the game whether you like it or not.
Sleep tight, asshole.
Bad things often happen to good people,
It is up to them to see that they remain good.
Red Hat isn't a distro for the people who want the latest and greatest updates as soon as possible. It's a distro for those who require a very tested solution.
Perhaps you can tell us what happens every ".0" release then. From what I recall, there was once an expression in reference to RedHat: "wait for the .1".
It's no a troll, it's the truth. I hated the Alpha RedHat distro.. Sig 11 city on the install
Lowmag.net
~gnarphlager, posting AC to avoid the karma hit
It takes about 20 minutes to update a fresh install of Debian stable to the most current kernel and all other security patches. As I've said before, simply:
[root@host] > apt-get update
[root@host] > apt-get upgrade
After that, go download the latest kernel source[which you can also do through apt], compile, and be happy.
This guy is supposed to be reviewing the security of a distribution, not the security of the kernel. The kernel can be updated in about $(TIME_IT_TAKES_TO_DOWNLOAD) + 10 minutes. All userland security holes are addressed in updates to the stable tree. Also, I'm not sure [I personally forget] if Debian is in the habit of tossing new kernels into the stable tree, but I'm sure that it would happen were there a major breach.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Brand me a pig then I guess. Fat pipes are fun :)
Also, this isn't that relevant in the business world. Most if not all businesses that are going to have servers that are critical to their business will have a fat enough pipe to handle it.
Besides, how is this worse than downloading all the updates individually? It will take just as much download time, if not more, and you'll have to search for them instead of have them all in one place.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
The fun part is, Slackware releases more often than any distribution he covered.
:-)
:-/
;-)
Sensible people already know this!
The reviewer did not know this.
Therefore....
You've hit the nail right on the head. Fact: any company that relies on its computing resources for its business (read: everyone with more than about 1 employee) and does not hire a competent systems administrator is reckless and irresponsible.
If the management of a widget manufacturer buys inferior widget components to save money, and then finds themselves unable to sell widgets, the shareholders will most likely dismiss them. In some countries, there may be legal proceedings as well. Why? They failed to protect shareholder value. Instead of paying a fair price for a necessary input, they tried to cut corners. How is this case any different? Yes, competent systems administrators are expensive. The greenest of us are paid $60k a year. A 20-year Unix guru veteran administrator is worth $200k or more. But evaluate that cost against the costs associated with a security breach. For a small firm, and a simple skript-kiddie breach, the costs might simply be some lost time spent fixing the system, maybe a few hundreds or thousands of dollars - each time. For a medium-sized firm, or for a more insidious or far-reaching breach, costs will rapidly exceed even the most extravagantly paid sysadmins' employment costs.
Managers who fail to hire competent workers for necessary positions are guilty of mismanagement. Managers who fail to provide their staff with the tools they need to do their jobs (software upgrades, operating systems with adequate security models, etc.) are guilty of mismanagement. These are the guilty parties.
The fact that competent systems administrators are hard to find and expensive provides no justification for insisting that every software vendor try to divine all their millions of customers' security needs and provide for them out of the box. First, it's impossible to make everyone happy. What may seem lax to me looks fascist to most. Some people don't need any security at all - those with non-networked machines with no sensitive or valuable data. Second, there will always be bugs, errors, and omissions in software. Even OpenBSD issues patches and updates from time to time. If you are going to have a system, you must maintain it by applying vendor patches as needed. While this is not difficult, it does imply some measure of competence and vigilance.
All that said, there are differences in security between various vendors' offerings. Some systems (*cough*solaris*cough*) cannot be secured by any means, because the vendor is so lax about providing updates for known problems. Other vendors ship systems in intentionally insecure configurations (sgi). Others try to ship secure systems, but invariably fail to do so. Creating and maintaining a secure environment requires a competent administration staff regardless of the vendor and operating platform you select. While some vendors make it easier to do so by providing full source, frequent updates, and perhaps even auditing their code base, no amount of effort on their part can provide a level of security appropriate for every possible customer.
This provides an interesting opportunity for ISPs. Customers without the necessary interest or competence to maintain an appropriate level of security could purchase firewalling and other services from their ISP. This way, regardless of the type of system they have selected, they can be reasonably sure that a breach will not occur. Naturally such services would cost much less than hiring a full-time administrator. This model seems especially viable for home users, who often have no experience, hardware, or interest needed to provide sufficient security. But such offerings are generally made either to large customers, or to home users as a mandatory, no-extra-charge component (blocking port 25 for example). Hopefully this will change, as ISPs broaden their offerings.
Regardless of how you feel about staffing policies and distribution management (ever put one together?), it is irrational to expect what you do from vendors. No Linux distribution can possibly meet the needs of every possible user. Especially out of the box with no configuration. While some security measures should probably be included, I would much prefer choosing myself which additional measures should be taken. I do not appreciate vendors who try to box me into a certain security model. For example, a vendor might ship a distribution in such a way that Kerberos provides the entire security model. What, then, if I am on a network that uses OpenSSH DSA as the primary authentication security model? I am forced to strip out as much Kerberos as I can - often recompiling packages - and then add on my desired security measures. It's much easier to start with a system that has no preconceived ideas about security models, and then add on whatever I feel is appropriate for my circumstances. I don't expect - or want - distributors to try to guess my needs and provide only for the needs they assume. That is the mark of Microsoft and so many other failed vendors. The vendors who are succeeding today provide a wide range of flexible options to their customers. The one-size-fits-all, out of the box and go mentality is evil and shall not earn my business, now or ever.
As any sysadmin will tell you: Maintin it, or unplug it. There is no excuse.
First the guy says he won't review Slack because of it's "ridiculously slow release schedules". Well there are new releases on CD 2-3 times a year, and updates always available for download, but maybe he doesn't know that.
Then he says "Let's begin with some basics: How often do the vendors release new distributions?" and completely fails to answer his own basic question!
Sheesh!
Wow, got slashdotted, this is pretty nifty (and our servers are handling it well this time which is nice). Anyways there's a lot of comments I feel I should respond to, so here goes:
The debian/Slackware issue: Debian has "official" releases like every 2 years, thus generating stats on it are near impossible. I know the distro is maintained (read: http://www.securitypo rtal.com/lskb/articles/kben10000078.html, I am well aware of how dpkg/etc works. Here's the thing, you will never release a bug free software package, especially something like Debian which has a lot of packages. Like kernel 1.0 it's sometimes just best to shove it out the door and give users something a lot better then the last "officially stable" release. Side note: looks like Debian will release the next major one before 2.4, meaning it'll be another year or two before "stable" gets a 2.4 kernel, sigh). As for slackware I don't know anyone using it in a production environment anymore (there probably are..). I used Slackware for .. about 2 years when I started out, it is not something I'd want to put on 10 machines and maintain.
As for default installs, guess what, most admins do leave the defaults. Many people simply don't realize how dangerous these services are, or that they really need to be kept up to date. A default install like OpenBSD, secure by default, requires the admin to do things to make it less secure, (admitedly OpenBSD 2.7 with no security patches has a number of holes that are pretty serious). SOmething like %50 of machines on the Internet are insecure, why? A lot of them are simply because the default OS install was done and very few (or no) updates. Taking care of one machine at home isn't to bad, I have to care and feed 6 linux servers for my personal network, and sometimes I forget to do things, I'm only human (and I like to sleep 8 hours a day).
Good response for what? Red Hat isn't a distro for the people who want the latest and greatest updates as soon as possible. It's a distro for those who require a very tested solution. That's why Red Hat is often behind on the technology by the time it gets to .2, because they're focusing on the testing.
Leaving your users hanging in the wind for 2 weeks with a local root exploit is not good. Yes I know 2.2.16 has a ton of problems, but you should be giving customers the choice, not just leaving them in the lurch with no update.
As for Caldera/Turbo, Caldera is a pretty popular corporate distro, and Turbo is huge in asia (remember, there's more to the world then just the US market).
Note to slashdot: make the *******ing text entry box bigger!!!!! like 80 by 40 would be nice.
Kurt Seifried
I have mailed this to the author of the paper under separate cover.
1 r5 i ty-announce-98/threads.htm i ty-announce-99/threads.htm i ty-announce-00/threads.htm 2 33&cid=141 3 3&mode=nested
> I have not fully covered Slackware and Debian, with their ridiculously
> slow release schedules.
I'm very disappointed on two levels: First that you provide such a
comprehensive and useful report and yes omit one of the more popular linux
distributions[6], and second that you have made such an erronous assumption
about Debian's release methodology.
Your main mistake is that you have failed to realize that Debian
releases timely security fixes, which are distributed to Debian users
via the internet. Users can choose to configure their systems to receive
these updates[1]. This makes release intervals orthagonal to whether users
receive security fixes.
Moreover, Debian has _frequent_ minor releases. These releases consist
mostly of security fixes, and they serve to get the security fixes out
to fresh Debian installs, plus to anyone who installs from CD and does
not set up their system to receive security fixes via the net. You may
have missed these releases, since in Debian, "2.1" is a new major
release (with an implied "r1"), while "2.1r2" is the first minor release
-- an unusual nomecleture compared to the other distributions.
Interestingly, minor releases of Debian 2.1 have occurred more frequently
than minor releases of Red Hat 6 (which, as you note, "shoves a new version
out the door every 6 months like clockwork").
Debian
2.1
2.1r2 8 days
2.1r3 167 days
2.1r4 104 days
2.1r5 117 days
Red Hat
6.0
6.1 161 days
6.2 175 days
[ Interestingly, a poster on slashdot has numbers[5] that show that
the other distribution you left out (Slackware) also releases just as
frequently as Red Hat. ]
In light of these problems, I think it would be quite beneficial if you
added Debian to your paper. Security announcement since 1998 are
archived in both the archives of the debian-security-announce mailing
list[3], and on http://security.debian.org/ (which also includes
advisories from 1997). So, I dug up some numbers (I read the changelog
pointed to by footnote 2, and counted security fixes. This is probably
not as accurate as your numbers.)
Release Security Alerts
2.1 1
2.1r2 16
2.1r3 19
2.1r4 5
2.1r5
Moving on to the second part of your paper, specific indicidents and how
quickly distributions responded, I've looked up some data on Debian's
responses.
Local root exploit in kernel 2.2.15, announced on June 8th.
On June 12th, Debian announced[4] it had fixed the hole *before*
the exploit was announced, and thus was not vulnerable.
fdmount, announced May 22.
Debian has never installed it suid, and thus has never been
vulnerable (as you noted -- thanks).
By the way, I think this section of your paper looked at too few holes to
draw any real conclusions from. But Debian seems to have been near the
head of the pack in this limited sampling.
In closing, I'd like to point out that the current 1 and a half 5 year --
not 2 year as you continually state -- gap between Debian 2.1 and 2.2 is
so far an exception, and not -- as you continually imply -- a rule. Major
Debian releases:
1.1
1.2 6 months
1.3 7 months
2.0 12 months
2.1 8 months
2.2 (19 months?)
--
see shy jo, fond of lies, damn lies, and statistics
[1] (For instructions to configure a Debian system to receive such fixes,
see for example, http://security.debian.org/, in the 5th paragraph.)
[2] This information from ftp://ftp.debian.org/debian/dists/stable/Debian2.
[3] http://www.debian.org/Lists-Archives/debian-secur
http://www.debian.org/Lists-Archives/debian-secur
http://www.debian.org/Lists-Archives/debian-secur
[4] http://www.debian.org/security/2000/20000612
[5] http://slashdot.org/comments.pl?sid=00/07/25/1444
[6] I'm not going to argue this in detail, but just see how people reacted to
your ommissions on slashdot. Debian has a rather large mindshare, though
its market share is less quantifiable.
http://slashdot.org/article.pl?sid=00/07/25/14442
--
see shy jo
- Debian and Slackware are absent, but its a decent piece.
For what it's worth, I believe that should be "it's". Here's a quick reference:Alex Bischoff
---
Alex Bischoff
HTML/CSS coder for hire
A slow release schedule means that a lot of security fixes exist which aren't merged into the distribution. Take the kernel for example: All versions prior to 2.2.16 have a security bug. A distro that releases less often means more work for the sysadmin after installing. There are other facts the guy missed, but I think that is what he's referring to.
-JD
And I don't think it's unreasonable to disable everything by default and force the user to learn about the OS to enable anything. I'd expect a seasoned system administrator to know how to install and set up a ftp server. I wouldn't expect a newbie to understand why they should disable it. Most of the newbies are going to willfully ignore decades of sysadmin experience (Witness how many of them insist on logging in and doing everything as root) so why make it easy for them to do so? I also think the distributions should set them up to refuse root logins, but that's just me.
I'm not saying we should try to figure out what's secure for everyone. I'm saying we should aim for some sensible defaults. Most of the home users don't NEED an FTP server running. Or telnet, or apache, or even inetd for that matter. And many of the more clued in people are going to want to install their own anyway (How many people rpm -e telnetd and install SSH instead?)
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Maybe it's because of the lack of a GUI installer? :P~
Why are percenteages graphed alongside counts? THEY'RE DIFFERENT SCALES!!! "Well, you might have 140% of the packages be security fixes..."
# debian/rules
".. A second primary concern is what software a vendor ships, and how it is configured..."
".. I have not fully covered Slackware and Debian, with their ridiculously slow release schedules..."
Hello, McFly? Part of the reason Slack doesn't ship a new revision or make lots of little changes to keep up with software updates is because of using well-tested, stable, secure software. You want a rock-stable distro or the most-current-toys distro? These two things are usually not equal.
From slackware.com: " What is Slackware Linux? The Official Release of Slackware Linux by Patrick Volkerding is an advanced Linux operating system, designed with the twin goals of ease of use and stability as top priorities."
Look at the whole package, including the philosiphy behind the distro itself. Is it better? Not for me to tell you... but your opinion might change a little (though I doubt it..)
-'fester
has anyone put together a distribution with security as the focus? ie, ssh instead of telnet, latest security fixes, configured secured firewall, etc.
oooo! Let's start an argument about the GLP!
FUCKING LAME! Nobody gives a shit about your stupid geek humor. Trolling is about having the power to shut down a discussion. Period.
Listen, the three of us might have power, but you signed the fucking contract, dumbass. The rules were STRICTLY outlined, and you DID have a copy of it, so don't give me any of that lack of communication bullshit. If you had a problem, you were more than welcome to bring it up at one of the meetings. But you didn't. You just sat there, with your smug "i'm going to troll the trolls" look, let me tell you, it's not going to work here, bucko. Maybe you weren't around when we voted on head, but why the hell do you think there's three? And why do you think we vote on it every 8 months? You couldn't WAIT, could you? You couldn't be patient and wait for due course of action like anyone else. And I'm glad you have your fucking penis birds on your side, just remember anyone who stands with you, is going to go down with you, capiche? Why don't you tell your little cronies what happened to slashdot-terminal?
you make me sick.
Bad things often happen to good people,
It is up to them to see that they remain good.
--
? All he said was OpenBSD is not completely secure. Get over your persecution syndrome.
And you can get debian 2.2 on cd. So I dont see why debian was missing Linuxiso.org has them.
Of course, even if your newbiews are clued in enough to get rid of all the crap the distribution enables by default, the first thing most newbies want to do is set all their friends up with logins on their system. And everyone knows that once you compromise a local account, getting root is trivial. Is there any reason for all the games to have root privs? Then why are so many of them setuid? Any package that requests a setuid bit should have a HUGE WARNING in BIG BOLD BLINKING LETTERS that doesn't go away for at least TWO MINUTES before it installs. This goes not only for games but for standard system services as well. Eventually I hope Linux privs will render the setuid bit completely unnecessary.
I agree that everything should be disabled by default. In addition, setuid usage should be structly audited and the setuid bit should only be granted when there's absolutely no other way to provide a vital service.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Good response for what? Red Hat isn't a distro for the people who want the latest and greatest updates as soon as possible. It's a distro for those who require a very tested solution. That's why Red Hat is often behind on the technology by the time it gets to .2, because they're focusing on the testing.
Red Hat is an IT distro. If you want Red Hat-ness without the IT requirements, try Mandrake.
Debian and Slack were not included in this article, but they're more secure than the bulk of the distributions mentioned because of their focus on stability as opposed to getting product to market. As for release schedules, to say Slackware is slow is just ridiculous.
+++
+++
NO CARRIER
If you run debian stable, you can use the package system (apt-get) to dynamically install security fixes. This means that you get them far, *far*, sooner than if you use one of those _other_ distributions.
Redhat et al. *have* to make frequent releases (and more importantly, you have to install them, with all the attendant bother) because they don't have a better method like debian does.
We live, as we dream -- alone....
Debian is mentioned at the bottom, but there are no numbers nor is there really any useful comments other than "two years is too long between releases" regarding Debian.
If you think education is expensive, you should try ignorance -- Derek Bok, president of Harvard
See my ealier post about hte graphical installer;P~
But really, as an example... OpenBSD. Not a fast release cycle. OpenBSD is generally regarded as one of the most secure OSes available. They are to a whopping 2.7! It's not every week that there is a new OpenBSD.
I think that there was some confusion about security and features. A lot of times, new features introduce bugs.
I just got off dialpad, let me tell you that they're more than a little ticked with you right now...I know I've been helping with your little 'project' so they're a little angry, but I haven't gotten rid of the database or the ai scripts yet. There's a possibility they'll listen, just calm down, go tke a walk, whatever. Don't blow this, man, come back to the sid...
-Sincerely
-Sincerely
Fauqme Indegautas
Ok, a quote from the article:
"I have not fully covered Slackware and Debian, with their ridiculously slow release schedules. "
So... since when does release schedule have ANYTHING to do with security? Sure, Debian and Slackware don't release new versions often. This doesn't mean they don't release security fixes.
I've said it before, and I'll say it again: Debian is the easiest distribution to keep up-to-date, security wise. I often recieve updated packages via apt before the security announcement even hits Bugtraq. And since it takes all of 2 minutes to get the updates and apply them, it is easy for me to keep it up-to-date. Compare this, for example, with having to constantly search down the news/new packages/etc , which you have to do with other distros.
Debian likes to make sure the release is rock solid before releasing it. I'll be the first to admit that sometimes it is a bit slow. But this does not make the distribution less secure. In reality, it helps make it more secure.
Anyways, that comment alone was enough to make me skeptical of the actual knowledge of the author. It is a really ignorant, offhand remark to make, and has no relevance to security. But that is just me.
-[Blaine]- "'Oh dear,' says God, 'I hadn't thought of that,' and promptly vanishes in a puff of logic."
Mr. Seifried chose not to review Debian and Slackware because of, "their ridiculously slow release schedules." Mind you, it has been well over a year since slink was released, but Mr. Seifried does not understand how Debian works, based on what I have read. Especially considering some of his criteria for other distributions was having a central repository to download security updates. You don't just install Debian and then let it sit! Any concious user is constantly using his favorite method (apt, or deselect) to keep his software updated. Security holes are fixed, and are more easily available. Users are donwloading security fixes without even knowing it -- whereas with other distributions, you need to go and seek out which packages need updated and do it all yourself!
The link on attrition's site
Defacements by OS
An Education is the Font of All Liberty
What the hell are you talking about? I run Windows2000, and I don't care what most these people think...
Actually, Linux is gaining on the list by the same margin Windows is falling.. Solaris is being eaten as well, but far slower. Oh, and the only sites using W2K in any capacity are Microsoft & Co, and they have since release.
Then again, I've only been tracking it bi-weekly since December, so my conclusions may be skewed by the short timespan.
BTW, a Windows NT/2000 webserver in the internet is something like twenty-five times more likely than Linux to be cracked because of a security flaw. Go take a look at the attrition.org's hack counts and the last webserver report. I wouldn't trust NT or Windows2000 to be secure unless in a locked box surrounded by twenty bags of Redi-Mix.
.sig: Now legally binding!
I really, REALLY, wish there was a version of the GPL that considered the Commercial wish to be able to charge money. (Which would *require* that redistribution either a) be done with the copyright holder's blessing, or b) only be done with those already with a license.)
*sigh* But, since that will probably never happen, most of the world will stay with a non-free OS from Redmond.
Oh please! Like you have any real power! You can't touch us because of your fucking rules! I don't need any fucking rules, ok?
Good luck checking your email tonight, asshole!
If you don't, it's a good idea to have something that takes a lot less work to secure, such as OpenBSD. So what big corporations choose is not really relevant to the single, self-administering user.
For those of you not in (and unlike what this bastard would have you believe, we do take resumes), this is not the first bit of crap this insolent twat has tried to pin on me. Remember the /. dDoS hits from a couple months back?
I'd like the general public to know this cumguzzling gutter whore deserves every bit that he's going to get.
Bad things often happen to good people,
It is up to them to see that they remain good.
The above statement has been posted, verbatim, to probably at least half a dozen stories in the last few days (probably all of them, for all I know).
After trying to figure out if someone is trolling for karma, I figured out that all of the replies to the post are part of the post itself. If you click on any of the replies to the above post, you get the reply from the original thread.
I dunno of any of the repliers being quoted are trolls harvesting for karma, but every time this "post" and its "replies" get modded up, it wastes points better meant for real replies.
Kind of an interesting social engineering hack, if nothing else. Either way, please ignore this post in the future.
Jay (=
(My second try on this...)
There was NO indepth look at the underlying security of the various distributions, what security functions or applications ships with each , or even what fundamental security problems are faced by all of the distributions (two examples, f'ing please).
You'd think these guys were doing an 'unbiased' look at webservers or something.. that or writing for ZDNet..
The article states:
I have not fully covered Slackware and Debian, with their ridiculously slow release schedules
Well OK fine, but if you're depending on a RELEASE to update packages that have security problems, you are already compromised. Give me a break. I use Slackware - I subscribe to their security mailing list, (mail majordomo@slackware.com with subscribe slackware-security in body) when something happens that requires a patch, they mail me. Sure, they don't put out major releases all that quickly, but they still keep on track of security.
I'm sure Debian has the same type of system.
To exclude these 2 distros from this review seems kind of inane.
Bah.. done my rant.
Why should the presence/absence of a CD iso-image matter?
I'm a Unix dummy, but here's a common one when I admined NT boxes:
Domain Admins: Full Control
Report Writers Group: Change
Report Readers Group: Read
Backup Software Service: Read
(Implict - Everyone: No Access)
Also, none of the line staff know the password of the real Administrator accounts, so su doesn't cut it.
When I hear the word 'innovation', I reach for my pistol.
Listen, anyone who's actually going to use ACLs and capabilities and such, are going to be able to install the utilities needed to use them - ie LIDS. I mean, the linux kernel is capability based, and ACLs are a filesystem thing arent they? LIDS (www.lids.org) offers to expose the kernel's capabilities to admins, and it adds ACLs to the filesystem. Linux security, out of the box, may not be so wonderful, but tell me what OS is totally secure out of the box? None. It doesnt happen. If you want to share files, you've gota do some work security wise - linux is able to do ACLs and capabilities, but only after a little work. More mainstream inclusion of these features is comming anyway.
Might be just me but if you take a look at securityfocus.com and look at slackware there are 0 (this year)! and then you look at debian and theres a few esp last year but most are due to packages but they were fixed very fast. I dont see why debian and slack were not done.
"Keep in mind that the Unix security model, which is damned good by the way, assumes that the machine's owner (root, anyway) is God. This is not a bad thing."
Actually, having an account that has total control of the system (the superuser) is probably the main weakness of Unix security, because it means that there is a single point of failure; if root is compromised, the whole machine is compromised. A finer-grained method of establishing who has what privileges, a.k.a. capabilities, is more secure.
--
Secondly, his hacking was script kiddying - his buddies on USENET were giving him the SQL commands. As I said, he was totally clueless about DBMS's, no matter how knowledable those fancy-schmancy SQL queries might have looked.
Go over to bugtraq and search for "redhat". Count the number of exploits. Search for "FreeBSD" and see how many you get. Its not so much linux as the tons of unchecked GNU software. I did a standard gnome install of redhat 6.2 and it took up over 600 meg! Win2k takes up about the same amount so don't even talk about bloat.
Only the State obtains its revenue by coercion. - Murray Rothbard
And this is the reason that OpenBSD exists. Security 'out of the box'. I don' tknow if their security claims are still valid but 2 years (whilst continuing development) of no remote exploits is pretty darn impressive. No futzing around unless you begin to install lots of custom servers or daemons. Yes, it has and will continue to have vulnerabilities but with the kind of philosophy the developers and most of the users have it's not that much of a problem.
It's like having good multiplayer network code 'out of the box' or having to download a patch to play it right. "What real gamer doesn't expect to patch their game!!!" --- bah, it's reality but which would you rather have?
Fsck cluebie moderators. I'll say what I want, offtopic or not. And fsck having to qualify every bloody statement just
Your enthusiasts are going to have the full range of skill sets, from rank beginner to seasoned UNIX gurus. They don't have to justify their desire to install the OS, and they should be able to do so while remaining reasonably certain that if they connect it to the Internet, they won't immediately be taken over by script kiddies.
Moreover a reasonably competent system administrator who is responsible for a fair sized chunk of a large company is going to want to choose the distribution that allows him to do as little work as possible once he installs a new platform. He's also going to want automated tools so he can update a thousand machines at a shot and more automated tools so that most of the log crap gets filtered, so he only needs to pay attention to the trouble spots.
Furthermore I've yet to run across a company that has a resonably competent system administrator. Many of them are hired to point and drool at NT systems and are given responsibility for the UNIX machines as an afterthought. With many more, a group gets a UNIX box and its administration gets tacked on to someone else's job description. Test code, write reviews, administer UNIX box. Write documentation, administer UNIX box. Take customer calls, monitor network status, administer UNIX box. Write database software, administer UNIX box. Beats having to hire a sysadmin for $125,000 a year, doesn't it?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
SOMEBODY fucked up, eh? You no longer have the benefit of the doubt.
Too bad the install doesn't tell you WHAT each security setting does, it leaves it pretty much to your imagination.
When I upgraded from the 6.x series to 7.0 I had no idea which one to pick. That left a lot of things broken, for me to have to go in and fix.
Don't even get me started on how shoddy the 7.1 upgrade is....I'm now actively looking for a new distro.
I believe a set of kernel 2.2.16-1 RPMs appeared on RedHat Rawhide within days. It wasn't until 2 weeks later when the 2.2.16-3 kernel set was tested before RedHat officially announced the RPMs with the press release.
Note to reviewer: At least we have the option of running untested stuff at our own risk from various distro test labs and sites. You don't have that option with "Muppet Labs". ;->
-- Bryan "TheBS" Smith
-- Bryan "TheBS" Smith
Independent Author, Consultant and Trainer
Comment removed based on user account deletion
Oh please. A slow release schedule should mean that the distribution is MORE secure if anything. It means that the software included is tried and tested. This is one of the reasons why Debian potato uses a 2.2 kernel and a 3.3 XF86.
Is this the best reason they could come up with to not cover Slack and Debian? Either this guy is flat out lazy or he knew something about Debian and Slackware that would just not compare well against the others. Either way it makes me question his knowledge of the material at hand.
Besides, Debian's apt makes security updates tons easier than reading bugtraq and making sure you download the right RPMs.
[..] will focus on the major Linux distributions: Red Hat, SuSE, TurboLinux and Caldera, plus a few others.
Since when are TurboLinux and Caldera major distributions? Major distributions in my opinion are RH, SuSE and Debian. Slackware, while excellent, is too much a geek niche to be considered major. TurboLinux suffers the same categorization for Asian language support and I just don't know what anyone would do with Caldera.
Using your sig line to advertise for friends is lame.
One of the things that I liked most about Mandrake 7.0 was the fact that you could easily customize your system based on your security needs upon installation. The processes, services and daemons that are installed depend on which of the three (or so) security configurations you select.
I'm not sure why Mandrake was left out; the author even praises their efforts toward a secure distribution. Hmm, they even include it in the final wrap-up, though with no supporting data. Too bad.
I'm sorry to see Mandrake missing from this line up. Maybe an interesting accompanying piece would be a comparison of the three default Mandrake installations side by side.
yours,
john
So... since when does release schedule have ANYTHING to do with security? Sure, Debian and Slackware don't release new versions often. This doesn't mean they don't release security fixes.
I completely agree with this. Having the bleeding edge versions of software is not so important as having stable software and security fixes to those. Take for example the server environment - you don't need there the latest version of everything, you need things that work for sure.
Debian likes to make sure the release is rock solid before releasing it. I'll be the first to admit that sometimes it is a bit slow. But this does not make the distribution less secure. In reality, it helps make it more secure.
It seems to me that the author lacks knowledge of the very definition of security. The Security is not just fast updates, new versions and how vulnerable the system is for attacks. It's also about how stable the system and the software is, how easy it is to break/repair by inexperienced system administrators or users and how easy/hard is to lose data with it.
One thing the author of the article gets right, however, is that the time to get security updates to known vulnerabilities is quite a good way to compare distributions. So is the shape of the host (services up and inetd.conf) after the default installation has ended. But in my opinion also the stability and other things mentioned before should be tested and clearly no distribution or operating system should be excluded just because their release cycle is slow. I wonder how the author would have done the tests, if there had been for example Trusted Solaris included (with its ridiculously slow release schedule.).
Anyways, that comment alone was enough to make me skeptical of the actual knowledge of the author. It is a really ignorant, offhand remark to make, and has no relevance to security. But that is just me.
Well you're now the only one, but when I look also other tests about various issues (like performance) done nowadays, it seems that doing bad tests is more like a rule than an exception.
-- Karri Huhtanen http://www.iki.fi/khuhtanen/