Slashdot Mirror

← Back to Stories (view on slashdot.org)

BugTraq's Elias Levy Talks Security

Posted by timothy on from the how-apropos dept.

LiquidPC writes: "UnderLinux.com.br has an interview with the BugTraq moderator, Elias Levy or Aleph1. Questions ranging from what he thinks of 'Hacking Exposed' to whether BSD is more secure than Linux. Kind of short, but interesting nonetheless." He notes the interesting difference between the approaches to security taken by FreeBSD (which he praises) and Linux -- lots of projects vs. a single unified one, and emphasizes that security is ongoing, not defeating any single problem.

10 of 137 comments (clear)

  1. OpenBSD, not FreeBSD by X-ViRGE · · Score: 5, Informative

    Um, just FYI, he said OpenBSD, not FreeBSD. I think most people would agree about the security of OpenBSD.

  2. security by Lumpy · · Score: 3, Informative

    It's very true, Anything can be secured including windows NT/200/xp/zp/ww3p it just takes more time and more money to do it than BSD or linux. but many companies take the stance of hiring a security consultant, get's an audit, fixes what's wrong and then believes that they've done what was needed and that they are secure now. They never think, or dont want to think that security is a moving target that requires full-time attention and trained people to take care of it. Send your IS/It staff to security training and seminars, keep the staff trained.

    unfortunately in today's economic world, those programs and positions will be among the first to be cut by the CEO's.

    --
    Do not look at laser with remaining good eye.
    1. Re:security by mindstrm · · Score: 4, Interesting

      I don't even buy that it's 'easier' to secure BSD.

      It may take a few less keystrokes out of the box, on any particular version, but that's where it ends.

      Running *real* live systems, it takes the same amount of diligence and effort to keep them secured. You have to be aware of each new application you install, and how it impacts your security. It's no different on any OS.

      Win2k is not hard to secure; neither is any other MS system.

    2. Re:security by Simon+Brooke · · Score: 3, Insightful
      Win2k is not hard to secure; neither is any other MS system

      [simon@beesianum simon]$ cat /var/log/httpd/*access* | grep msadc | wc -l
      133

      Not bad for a worm that's been live for less than seven hours, and attacks an operating system that's 'easy to secure'.

      --
      I'm old enough to remember when discussions on Slashdot were well informed.
    3. Re:security by MeowMeow+Jones · · Score: 3, Informative

      The worm might be new, but the patch for the exploit in question was released in October 2000. Here are some links that are of interest:

      http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/lockto ol.asp

      http://www.microsoft.com/technet/treeview/defaul t. asp?url=/technet/itsolutions/security/tools/iis5ch k.asp

      --

      Trolls throughout history:
      Jonathan Swift

    4. Re:security by coolgeek · · Score: 5, Informative
      the patch for the exploit in question was released in October 2000

      I don't want to harsh on you too roughly. Blaming the end user for not patching their systems is a bit like a programmer blaming a user for pressing that wrong key at that wrong time that crashes said programmers' code. They are innocent and ignorant. Insisting that they become clued about administering their computers is analagous to saying all motorists should be semi-proficient mechanics before climbing behind the wheel. Its just not practical, and it ain't never gonna happen.

      Microsoft sure seems to have money to spend when it comes to sicking the BSA on its paying customers, or lobbying various public officials to look the other way while they break the law, yet seems to have $0 when it comes to educating the masses about the flaws in its products. Why not some full-page ads and television spots: "We're sorry we made a boo-boo. Please visit windowsupdate.microsoft.com to repair your Windows installation, and help keep The Internet safe for all of us." (and I have my doubts about whether that plugs these leaks) How about just putting some "Free MSN and Windows Repair CDs" next to the free AOL CDs you see everywhere. Instead, Microsoft seems to be quite content to allow the rest of us to pick up the tab for their follies in the form of lost productivity, upstream bandwidth fees, law enforcement investigations, etc. I would speak to their possible motives as to why they might want us all to waste our time and money, but I've sworn off the flamebait for a while.

      --

      cat /dev/null >sig
  3. Re:Most Secure Language by devphil · · Score: 3, Interesting


    Agreed, to an extent. Whenever I see coders beginning to argue about "secure languages" and programming languages that "don't allow" security holes, I have to laugh and recall what Bjarne Stroustrup said about C++'s (and C's) approach to such things.

    I assume that a sufficiently skilled programmer can do anything not explicitly prohibited by hardware.

    (I'm quoting from memory.) The "protections" of the C family of languages are meant to prevent accidents, not fraud. Y'all might check out something like libsafe, originally from Bell Labs, and released under the LGPL.

    --
    You cannot apply a technological solution to a sociological problem. (Edwards' Law)
  4. Re:Most Secure Language by scrytch · · Score: 3, Insightful

    This is why you shouldn't use an MS designed languages like VB or C#.

    Show me a buffer overflow attack on the VB VM. Just one. Attacks on the system? Watch me write "rm -rf $HOME /" in perl, python, and ruby. MS ships IIS in a bloody awful configuration for security, and it may not be possible to totally secure it, but the herring you're waving around is redder than Kruschev (there's a dated joke).

    --
    I've finally had it: until slashdot gets article moderation, I am not coming back.
  5. *nix admins are different by lowflying · · Score: 3, Insightful
    In a previous lifestyle, I flew helicopters for the Army. As a newbie admin, other admins have seemed impressed by how paranoid I am that some box I am responsible for is going to get cracked. This has always been my explanation:
    The thing is, helicopters are different from planes. An airplane by it's nature wants to fly, and if not interfered with too strongly by unusual events or by a deliberately incompetent pilot, it will fly. A helicopter does not want to fly. It is maintained in the air by a variety of forces and controls working in opposition to each other, and if there is any disturbance in this delicate balance the helicopter stops flying; immediately and disastrously. There is no such thing as a gliding helicopter.

    This is why being a helicopter pilot is so different from being an airplane pilot, and why in generality, airplane pilots are open, clear-eyed, buoyant extroverts and helicopter pilots are brooding introspective anticipators of trouble. They know if something bad has not happened it is about to.
    -Harry Reasoner, February 16, 1971

    I just wonder what is different about the training of *nix admins that makes them recognize that vigilance must be eternal, while the admins of other OSes seem to assume everything will go right when that is clearly not the case.

    Dave
  6. too late? by slashkitty · · Score: 3, Informative
    Wouldn't that be too late? Apache logs the request after it is successful. Some request for /path/to/shell/sh?rm+-rf+/ would only need one request, were that a real hole. Your log analysis would detect it, if the log file was even still there.


    Instead, your script would have to be a module or proxy that filters all incoming requests. And stops them before the trouble.

    --
    -- these are only opinions and they might not be mine.