Slashdot Mirror

← Back to Stories (view on slashdot.org)

Red Hat & Dell Host Open Source Security Summit

Posted by CowboyNeal on from the footing-the-bill dept.

wishus writes "Red Hat and Dell said they would co-host an Open Source Security Summit. 'Join Red Hat, Dell and experts in enterprise security from around the world for a summit on securing infrastructures with open source software.'"

15 of 79 comments (clear)

  1. a good thing... by netphilter · · Score: 4, Insightful

    I think this is a very good thing, considering that to most people the idea that something designed in such an open manner is secure seems preposterous. I may even drag my Controller along in an effort to help to open her eyes to the fact that we don't have to pay big money for good security.

    --
    "Herbivores eat well cause their food never, ever runs."
  2. Dude! by DarkHelmet · · Score: 5, Funny
    And I thought the ads that IBM had for Linux were interesting enough.

    Imagine ads with "Steven" saying, "Dude, you're compiling a kernel."

    *shudder*

    --
    /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
    1. Re:Dude! by mark_lybarger · · Score: 3, Funny

      Imagine ads with "Steven" saying, "Dude, you're getting a dell, wanna roll your own? If not, I hear the Red Hat guy rolls a good one. :D"

    2. Re:Dude! by red_dragon · · Score: 4, Funny

      I fear that they might want to change the kernel error messages first.

      Dude, you're getting a kernel panic!

      --
      In Soviet Russia, Jesus asks: "What Would You Do?"
  3. Timing... by ackthpt · · Score: 3, Interesting
    And there's this nice bit being splashed about on Yahoo News this morning.

    --

    A feeling of having made the same mistake before: Deja Foobar
    1. Re:Timing... by Sn4xx0r · · Score: 4, Informative

      And here is the list of vulnerabilities that they are talking about.

      --
      Got brain?
  4. Opensource the Dell Dude? by Komrade+S. · · Score: 5, Funny

    In this case, I think I'll settle for closed source. Thanks for the thought anyway, Dell.

    --

    s200.org - visit it (me), love it (me).

  5. User Friendly Security by snatchitup · · Score: 5, Insightful

    RedHat has made great strides in the user-friendly install... At least making easy for Windows users to "try out its features".

    The problem is, so much of the strong reasons for switching to Linux (aka security) are hard to realize in a user friendly sort of way.

    For instance, getting OpenSSH up and running to integrate a Windows box to be able to ftp from/to the secure Linux install takes alot of work, and fishing around. It's an immediate turn-off.

    Then there's wireless networking. Oh by the way, you have to become a kernel compile afficianado to get these wireless drivers workers.

    If we're talking RedHat/ here and security in the same breath, then why not focus on a user friendly install for security. Including a side howto on how to possibly go get Putty up and running. And how you're going to need to generate your keys with ssh-keygen type 2 rsa and then load them into puttygen which will convert them. And oh by the way, the converted private key will also work under SecureNetTerm. Don't forget something like this for your private keys in you $home/.ssh dir:

    chmod 600 id_rsa
    cp id_rsa authorized_keys2

    It wasn't that easy, but it should be, and it could be.

    1. Re:User Friendly Security by netphilter · · Score: 3, Interesting

      I agree that security should be easy, and believe it or not I think that in some ways Microsoft is beginning to do a good job in this arena. Before you flame me hear me out. I'm not claiming that Microsoft OS's are secure, or that they're even as secure as Linux. However, they have found ways to integrate some basic security features in a user-friendly way. For example, the Internet Connection Firewall. Is it a great firewall? No, not at all. However, it does provide basic firewalling services, and it logs. I know that Redhat incorporates ipchains and allows for relatively simple configuration, but ICF just seems a bit more userfriendly. I would, however, like to see someone (I started to but don't have the time) write a perl script that goes through the logs looking for traffic patterns so you can do basic intrusion detection.

      Again, in general I think that Microsoft has deployed some simple security tools like ICF, the MBSA, and even Windows Update that Redhat can't really compete with. Even up2date is a little more complicated than most people want to deal with. The RHN is a good service for enterprises, but for Joe User that doesn't want to pay it's just not that great. I have recently converted a family member to Redhat from Win2k, and one of their complaints is their inability to update their PC because "Free service limited due to high load..." Most people don't know what that means and don't care...it discourages them from even updating their computers at all. Overall, I think that Microsoft is winning the user-friendly security tool war, even though their software is not secure.

      --
      "Herbivores eat well cause their food never, ever runs."
    2. Re:User Friendly Security by back_pages · · Score: 3, Interesting
      How useful is that friendly firewall going to be once every cracker interested in breaking into Windows boxes knows what the failings of it are? That user friendly firewall becomes a user friendly waste of time.

      It would be fantastic if their user friendly firewall did all the work rather than part of the work, but the ability to root a box in 5 ways instead of 10 is still the ability to root. The real danger is in convincing the users that the firewall makes them safe and therefore need not be vigilant or suspicious. That creates users who do not patch their software, making the inevitable breach more disasterous.

      In fact, your quote, "Microsoft is winning the user-friendly security tool war, even though their software is not secure," is rather telling. They aren't winning anything related to security. They're succeeding in generating revenue through marketing and slogans, which they've always done. The security of their products is not enhanced in any fashion by their user friendly firewall in the long run. If you think it takes a public relations department and TV commercials to win the security tool war, you simply don't have a clue and probably don't want one.

  6. And right next to this story... by gosand · · Score: 5, Funny
    I went to read this story, and noticed in the Breaking News box right next to it was this story:
    Microsoft Issues Windows Security Warning

    gotta love it

    --

    My beliefs do not require that you agree with them.

  7. Design, Development, Deployment "load marks" by NZheretic · · Score: 5, Interesting
    From the Plimsoll Club history
    Samuel Plimsoll, M.P.
    (1824-1898)
    Samuel Plimsoll brought about one of the greatest shipping revolutions ever known by shocking the British nation into making reforms which have saved the lives of countless seamen. By the mid-1800's, the overloading of English ships had become a national problem. Plimsoll took up as a crusade the plan of James Hall to require that vessels bear a load line marking indicating when they were overloaded, hence ensuring the safety of crew and cargo. His violent speeches aroused the House of Commons; his book, Our Seamen, shocked the people at large into clamorous indignation. His book also earned him the hatred of many shipowners who set in train a series of legal battles against Plimsoll. Through this adversity and personal loss, Plimsoll clung doggedly to his facts. He fought to the point of utter exhaustion until finally, in 1876, Parliament was forced to pass the Unseaworthy Ships Bill into law, requiring that vessels bear the load line freeboard marking. It was soon known as the "Plimsoll Mark" and was eventually adopted by all maritime nations of the world.

    The risks,issues and solutions for providing a more secure operating and application enviroment have been known for decades. Those who do not already comprehend the issues and are willing to learn, should take some time out to listen to some of the speeches at Dr. Dobbs Journal's Technetcast security archives, starting with Meeting Future Security Challenges by Dr. Blaine Burnam, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA)

    The "security rules" for Unix based system and application development are well known, although not widely taught. See Secure Programming for Linux and Unix by David Wheeler. Although Microsoft's NT,2000 and XP are not Unix based, a lot of the core above "rules" apply or have direct or indirect equivalents

    Because some developers ignore similar above rules, the design and implementation of some applications and servers are just too unsafe to use in the "open ocean" of the internet.


    Numerous security experts have railed against Microsoft's lack of security, best summed up by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc who rightly stated ...

    Honestly, security experts don't pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft's poor products are one of the reasons we're in business. We pick on them because they've done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products' security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products. (Note to Gartner: The vulnerabilities will come, a couple of them a week, for years and years...until people stop looking for them. Waiting six months isn't going to make this OS safer.)

    However Microsoft's products are not alone in the presence of vulnerabilities, this is a major issue for Linux/BSD and Unix as well as any other OS and vendor.

    In a recent speech Fixing Network Security by Hacking the Business Climate Bruce Schneier claimed that for change to occur, the software industry must become libel for damages from "unsecure" software, however historically, this has not always been the case, since most businesses can insure against damages and pass the cost along to the consumer.

    The Ford Pinto and more recently the Ford Explorer's tires are two examples of public and media pressure being more successful than just threat of lawsuits. Even so, eventually though public pressure the governments around the world have to step in and pass regulations that set up a minimum set of requirements an automobile has to meet to be deemed "road worthy". This includes crash testing as well as the inclusion of safety equipment on all models. The requirement are not constant and change to meet the expectations and demands of the public and lawmakers.

    The onus is not only on the automotive industry itself but also on the users. Most countries require that all automobiles undergo regular inspection and maintain an up to date "Warrant of Fitness".

    In the same way, if you want a secure IT infrastructure, eventually the software design, implementation and each deployment will have to undergo the same type of regulation and scrutiny.

    For paid software distributions, this could mean just a tick list of security features and security tests to the other extreme of requiring the source code to be fully audited for government/secure deployments.

    For users, this would require running a program that checks to make sure that all the required software security update/patches have been installed to the other extreme of requiring an audited deployment for government/secure deployments.

    Users and vendors should be taking a more active approach, including lobbying government, to
    1) set up a minimum set of expectations, in the design and implementation of internet "accessing" software ; and
    2) ensure that all deployments are more securely implemented ; and/or
    3) remove inherently unsecure products from the marketplace.

    IMO the above three are preferable to all software vendors, including Microsoft, than attempts to allow liability lawsuits against vendors for deployments which the software vendors have very little control over.

  8. Re:Interesting by pellaeon · · Score: 4, Interesting

    You (and my co-responder) haven't run RedHat for a while haven't you? By default, since RH7.1, NO services are started!

    Get your facts straight before flaming please. Red Hat is doing a good job, progressively being more 'secure by default' since about RH 6.1 (took them a while though ;-)

    --
    -- /bin/coffee missing. universe halted.
  9. Re:Interesting by j_kenpo · · Score: 3, Informative

    Excuse me, before you run your mouth, maybe you should get your facts straight. Ive run Red Hat since 4.2 as a matter of fact. I just did a fresh install of 8, and it had the mentioned applications, plus a few extras, start up by default. I had to MANUALLY disable those items from each runlevel init... Same goes for the box I upgraded, it added services that were previously disabled. And has been that way in every realease of RedHat that Ive run. This has been the case using the RedHat Installer AND using APT-RPM for doing the upgrades and installations. Now it may not be that way using the type of installation choices other than Custom, but since I do a custom install everytime I couldnt tell you...

  10. Enterprise security? by voicebox · · Score: 4, Funny

    and experts in enterprise security

    Does that mean a couple of red-shirts will be there?