Slashdot Mirror

← Back to Stories (view on slashdot.org)

Jay Beale On Overcoming Linux Security Holes

Posted by timothy on from the hey-where-is-jay-now dept.

alpinista writes "Sorry, Redmond; according to Jay Beale, it's not yet time to throw away all those pesky insecure Linux boxes. Newsforge interviewed Jay and got some pretty straight talk from a guy that knows more that his share about OS security. In a nutshell: 'Beale's take on how you can make your system more secure, on the Linux vs. Windows security debate, and on the Digital Millennium Copyright Act's impact on security testing.'"

9 of 30 comments (clear)

  1. A few facts about Microsoft's OS may help. by Futurepower(R) · · Score: 3, Interesting


    Some facts about Microsoft's OS may be helpful here in making a comparison:

    English: Windows XP Shows the Direction Microsoft is Going..

    Spanish: Windows XP muestra la dirección que Microsoft está tomando.

    1. Re:A few facts about Microsoft's OS may help. by duffbeer703 · · Score: 5, Informative

      That article is full of FUD and very misleading.

      Suggesting that Windows XP is awful because it is easy to change a user's password if you have physical access is absurd. Has the dope who wrote this every head of "single-user mode" in Unix?

      Similarly is the statement criticizing MS for not supporting ghosted system images without sysprep. If you do not use sysprep, the ghosted systems will have the same SID, which opens you up to all sorts of security vulnerabilites.

      Microsoft is a shitty company, which plenty of legimate practices to criticize. If you need to use FUD when knocking Windows XP, you need to pursue a new line of work.

      --
      Conformity is the jailer of freedom and enemy of growth. -JFK
  2. Bastille Linux by agnosonga · · Score: 5, Informative
    Linux.com: What's going on with Bastille Linux right now? Where's the project at?

    Beale: Well, for readers who don't know, Bastille Linux is a hardening program. Basically, it's a tool that increases the security of a system in every way that we've thought to automate. This includes steps like reconfiguring DNS, Web, FTP and Mail servers for better security, but also includes single-machine or single network firewalls and port scan detection tools.

    Now, our most recent piece of good news is that we're officially supporting HP-UX, making our name just slightly inaccurate. Then again, we probably started that trend a few years ago, naming ourselves after a defeated French jail!


    you can get it here
  3. Correctness by norwoodites · · Score: 4, Insightful

    Why do people do not stop for a second and audit their code for correctness, like what the OpenBSD people have been doing?
    Correctness will make security holes be very few and far in between.
    Also the more eyes the better because someone can spot one problem somewhere that another would not spot.
    I think for the linux kernel 2.8, correctness should be a priority. Also for glibc 2.4, and all other project's next version which should include Mozilla.

  4. Read the article more carefully. by Futurepower(R) · · Score: 3, Interesting


    You seem not to have read the article carefully.

    This is an amazing phenomenon. Someone takes a quick look at a 12,000 word article, finds one thing wrong, and says the whole article is terrible.

    The article does seem to need some improvement, but it is mostly correct. I removed the section you complain about above, so that it can be re-written.

    The point of the section about local security is to tell executives that they are getting less security than they think.

    The free SysInternals.com SID changer works great.

  5. another expert on OS security by belbo · · Score: 4, Informative
    Security Expert Gives Operating Systems Poor Security Grade

    Favourite quote: "Windows is awful, but well, so is Linux."

    b.

    --

    --
    "Just believe everything I tell you, and it will all be very, very simple."

  6. Re: UNIX single user mode by Per+Wigren · · Score: 3, Insightful

    You can still use a boot floppy, unless you have turned off boot-from-floppy in BIOS and password-protected it.. But then you can still move that CMOS-reset jumper.. ;)

    Encrypted filesystems are too slow to be usable in practice.. Encrypting only /etc and some specific dirs in /var would be nice though...

    --
    My other account has a 3-digit UID.
  7. Re:Thanks for your comments. by Yankovic · · Score: 3, Insightful

    Not to mention the fact that many many of the items are either not installed by default (MS DTC), do not require connection to MS computers in all but the rarest of circumstances (MMC), and some aren't even installed (Microsoft Baseline Security Analyzer). This is beyond the fact that many are just wrong (Fax Service does not require connecting to MS, etc). For every puported fact in the article, there are two other ways of interpreting the situation, and the author universally picks the wrong one. This is a FUD article, pure and simple.

  8. Re:You make a sweeping claim... by Yankovic · · Score: 3, Informative

    No I read that bit. I agree there are components of your article which are true. But I have a paper that says 2+2 = 4 and also 4+4 = 6 and 5+5=11, certainly you would call into question the point of the paper (if any). Your paper's point seems to be to MS's current behavior, and then project future behavior based on that. The fact that most of your factual points today are wrong or grossly distorted seems to indicate that your conclusions would suffer the same maladies.

    For example, you state that Windows 98 does not connect to MS computers where as XP can connect to MS computers in 18 ways. This is false. The most of the components you have listed as connecting under Windows XP ALSO can connect under Windows 98. But let's assume that you're correct and that these components don't connect under Windows 98. So what? How many components in DOS 6.22 had a TCP stack? Technologies change, and now that the internet is available (which was in limited scope in 1995-1997 when Win98 was first being built), you would think that they would adopt these components into their architecture. Wouldn't you?

    Hidden downloads, etc are just FUD. There's little example of MS doing hidden downloads of any sort. And linking to 4 year old sites about people switching from Windows is great... if you want the story of one person moving. Generally, they have little credibility.

    I am not saying anything about the government's case. I AM saying your conclusions are nearly universally wrong, misinformed and flamebait. Your article has little or no worth.