Slashdot Mirror

← Back to Stories (view on slashdot.org)

BugTraq's Elias Levy Talks Security

Posted by timothy on from the how-apropos dept.

LiquidPC writes: "UnderLinux.com.br has an interview with the BugTraq moderator, Elias Levy or Aleph1. Questions ranging from what he thinks of 'Hacking Exposed' to whether BSD is more secure than Linux. Kind of short, but interesting nonetheless." He notes the interesting difference between the approaches to security taken by FreeBSD (which he praises) and Linux -- lots of projects vs. a single unified one, and emphasizes that security is ongoing, not defeating any single problem.

6 of 137 comments (clear)

  1. Re:Most Secure Language by devphil · · Score: 3, Interesting


    Agreed, to an extent. Whenever I see coders beginning to argue about "secure languages" and programming languages that "don't allow" security holes, I have to laugh and recall what Bjarne Stroustrup said about C++'s (and C's) approach to such things.

    I assume that a sufficiently skilled programmer can do anything not explicitly prohibited by hardware.

    (I'm quoting from memory.) The "protections" of the C family of languages are meant to prevent accidents, not fraud. Y'all might check out something like libsafe, originally from Bell Labs, and released under the LGPL.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  2. Re:security by mindstrm · · Score: 4, Interesting

    I don't even buy that it's 'easier' to secure BSD.

    It may take a few less keystrokes out of the box, on any particular version, but that's where it ends.

    Running *real* live systems, it takes the same amount of diligence and effort to keep them secured. You have to be aware of each new application you install, and how it impacts your security. It's no different on any OS.

    Win2k is not hard to secure; neither is any other MS system.

  3. script to stop this new @!#%#@! bug by Micah · · Score: 2, Interesting

    Anyone know if something like this might be possible or easy:?

    Have a script that reads the Apache log in realtime. Whenever something gets cmd.exe or XXXX or NNNN or something like that, immediately block all communication with their IP with iptables?

    This is getting annoying...

  4. Re:yup by cdraus · · Score: 1, Interesting

    Using UNIX for a desktop is a fricken moronic idea.

    I've heard this before and really don't understand it, so I'll take this opportunity to maybe get some clarification.

    Maybe it comes down to the definition of desktop... I'm not sure, but I use SCO Unix at work (on my desktop, not on the floor) and a Unix like OS at home (linux), also on my desktop. I've tried using Windows(R)(TM)(C)(!GNU) many times but I always end up frustrated. Surely an OS should be chosen with what you want to do with it in mind, rather than a definition like desktop OS, whether it's on your desk or your fridge or on the floor, or in your ceiling... makes no difference.

  5. Re:*nix admins are different by Anonymous Coward · · Score: 2, Interesting

    Unix admins may have had a grasp of multiuser systemffor decades, but they were blissfully unaware of Internet security issues until relatively recently. Protocols like NFS and NIS belie a far more trusting attitude than even MS's stuff from the late 80s, not to mention Novell. Standard demons like sendmail were essentially unmaintained until recently. It took an enormous amount of work for some people (including those who started BugTraq) to change the lazy security culture bred into the fat academic maintainers of Unix. You might like to believe that Unix has a 20 year headstart over Microsoft, but it's more like a 5 year headstart. They'll catch up.

  6. Re:security by heybrakywacky · · Score: 2, Interesting
    Come on! Look, I'll be the first to admit that Microsoft could do a better job with many aspects of the securing of their operating systems (like other people have mentioned, things like not turning on every last service under the sun by default, that kind of thing).


    But as for your argument, windowsupdate.microsoft.com is about the easiest method I've come across for any operating system to keep your system up to date. I do hold the end user responsible for that reason, because in the age of the internet and high-speed home connections, as a user, you have an elevated responsibility over days past to keep your systems secure. It's simply a fact of life.


    Every OS has holes. Linux, BSD, Solaris, Win[92XM]*, they all have 'em. Very few operating systems are designed and implemented with security as a top priority. In addition, MS OSes enjoy the massive user base and visibility, not to mention the low entry-level of computer knowledge, of no other OS, which means they're going to be more vulnerable, to some extent.


    But it's definitely not rocket science to keep your MS OS patched. They make it really easy. Could they be more visible about it? Perhaps. Could everyone else? Just as arguably, yes. Does anyone else out there have better visibility for security issues/updates for their OS? With very few exceptions, I'd say no.

    --
    I'm sorry sandwich! --Brak