BugTraq's Elias Levy Talks Security

LiquidPC writes: "UnderLinux.com.br has an interview with the BugTraq moderator, Elias Levy or Aleph1. Questions ranging from what he thinks of 'Hacking Exposed' to whether BSD is more secure than Linux. Kind of short, but interesting nonetheless." He notes the interesting difference between the approaches to security taken by FreeBSD (which he praises) and Linux -- lots of projects vs. a single unified one, and emphasizes that security is ongoing, not defeating any single problem.

OpenBSD, not FreeBSD

[X-ViRGE]

Um, just FYI, he said OpenBSD, not FreeBSD. I think most people would agree about the security of OpenBSD.

security

[Lumpy]

It's very true, Anything can be secured including windows NT/200/xp/zp/ww3p it just takes more time and more money to do it than BSD or linux. but many companies take the stance of hiring a security consultant, get's an audit, fixes what's wrong and then believes that they've done what was needed and that they are secure now. They never think, or dont want to think that security is a moving target that requires full-time attention and trained people to take care of it. Send your IS/It staff to security training and seminars, keep the staff trained.

unfortunately in today's economic world, those programs and positions will be among the first to be cut by the CEO's.

Re:security

[MeowMeow+Jones]

The worm might be new, but the patch for the exploit in question was released in October 2000. Here are some links that are of interest:

http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/lockto ol.asp

http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/iis5ch k.asp

Re:security

[coolgeek]

the patch for the exploit in question was released in October 2000

I don't want to harsh on you too roughly. Blaming the end user for not patching their systems is a bit like a programmer blaming a user for pressing that wrong key at that wrong time that crashes said programmers' code. They are innocent and ignorant. Insisting that they become clued about administering their computers is analagous to saying all motorists should be semi-proficient mechanics before climbing behind the wheel. Its just not practical, and it ain't never gonna happen.

Microsoft sure seems to have money to spend when it comes to sicking the BSA on its paying customers, or lobbying various public officials to look the other way while they break the law, yet seems to have $0 when it comes to educating the masses about the flaws in its products. Why not some full-page ads and television spots: "We're sorry we made a boo-boo. Please visit windowsupdate.microsoft.com to repair your Windows installation, and help keep The Internet safe for all of us." (and I have my doubts about whether that plugs these leaks) How about just putting some "Free MSN and Windows Repair CDs" next to the free AOL CDs you see everywhere. Instead, Microsoft seems to be quite content to allow the rest of us to pick up the tab for their follies in the form of lost productivity, upstream bandwidth fees, law enforcement investigations, etc. I would speak to their possible motives as to why they might want us all to waste our time and money, but I've sworn off the flamebait for a while.

too late?

[slashkitty]

Wouldn't that be too late? Apache logs the request after it is successful. Some request for /path/to/shell/sh?rm+-rf+/ would only need one request, were that a real hole. Your log analysis would detect it, if the log file was even still there.

Instead, your script would have to be a module or proxy that filters all incoming requests. And stops them before the trouble.