Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Security: Reflections on 2002, Eye on 2003

Posted by timothy on from the bolting-the-doors-helps dept.

Mirko Zorz writes "Here are the reflections on Linux security in 2002 and predictions for 2003 by Bob Toxen, one of the 162 recognized developers of Berkeley UNIX and author of the acclaimed book "Real World Linux Security" already in its 2nd edition. Read more at Help Net Security."

9 of 129 comments (clear)

  1. not a major virus by i.r.id10t · · Score: 2, Interesting

    but more of an upswing in new exploits/overflows/etc as more people begin to scrutinize the code - think microsoft has anyone looking for "problems" to announce in a FUD campaign? New ways of distributing them will also be found - but even then there will be those who proclaim their immunity. "It was in an PassiveZ attachment, but since I just use an old line printer as my mail spool, it didn't get me".

    --
    Don't blame me, I voted for Kodos
  2. Re:Damn by yamla · · Score: 3, Interesting

    I personally don't refuse to purchase from places that use IIS but come on. If they can't afford to pay some guy tons of money to set up a linux server, they presumably didn't pay _anything_ to a guy for securing their site. If their site isn't remotely secure, why should I buy from them?

    --

    Oceania has always been at war with Eastasia.
  3. Linux ain't so great... by swordgeek · · Score: 2, Interesting

    Really, is Linux a Secure OS(tm)? No, not really. It's not as popular as Windows, and the security model is better developed than Windows (courtesy of the Unix legacy), which leads to it having fewer exploited exploits, but...

    Is it really that much more secure? Not really.

    The key to security is implementation. Solaris isn't inherently incredibly secure. Secure Solaris is. Linux? Nah. the NSA Linux? I imagine so!

    FreeBSD (and the other BSDs even) was designed with the intention of being secure, and so it is far moreso. So is NSA Linux and Secure Solaris. That ha nothing to do with the inherent security of the base product, though.

    --

    "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
  4. Help net security: Toxen's Publicist by Anonymous Coward · · Score: 3, Interesting
    Help Net Security seems to be Bob Toxe'ns personal publicist. Let's see, they wrote and submitted the RWLS book review, performed at least one interview with him, drove people to their site to win free RWLS books. Now, how many other Linux experts have they interviewed and plugged? Can you find any references to Building Secure Servers vith Linux (Bauer, a damned fine book) or Hacking Linux Exposed (Hatch, also excellent)? Or even a note about inferior books, such as the Red Hat security/optimizing one, or Maximum Linux Security? How about an interview with Ziegler of "Linux Firewalls" fame?

    Nope, seems to me Toxen's pseudonym is "Zorz".

  5. Comment removed by account_deleted · · Score: 5, Interesting

    Comment removed based on user account deletion

  6. Sendmail server was broken into by MarkOlszewski42 · · Score: 2, Interesting
    I think the fact that the Sendmail server was broken
    into and serving trojaned copies of the source
    certainly does reflect badly on Sendmail's security.
    If they can't secure their distribution machine,
    how well can they code umpteen years of crappy code?


    Of course, in spite of the OpenSSH bugs, I'd use them any day before the ssh.com code.

  7. Re:Linux? by 1lus10n · · Score: 2, Interesting

    your right, all those damn nimda infected desktop PC's had top secret info on them.

    hey i cracked grandma's PC with code red..... look birthday photos !!!!

    thats what i would classify as a yawn.
    then you have the --> i just cracked IBM's (insert corporate type.) desktop .... prototype designs ...... i could sell these .....

    not saying that either will or has happend. but which would you fear more as an executive at HP , Sun, IBM et al ? your consumer end products getting hosed because of microsofts boo-boo. or your corporate infrastructure getting hosed ?

    and yes i happen to work at one of the above mentioned companies and we easily run 30% of our desktops on linux. (with plans to get 80% to linux by the end of '03) (the other 20% is being kept for R&D and support purposes)

    and if you were talking about unix ...... well get your head checked.

    --
    "Two things are infinite: the universe and human stupidity; and I'm not sure about the the universe." --Albert Einstein
  8. Re:Damn by Error27 · · Score: 4, Interesting

    >they caught the guy too

    You just summed up the difference between using a credit card at a restaurant and using one online.

    I do not think he is paranoid. Three months after CodeRed first appeared, one out of ten "secure" or "comercial" IIS websites were still infected. (Note the word "secure" as in encryption and the word "infected" as opposed to merely "vulnerable".)

  9. Re:Too many services by Real+World+Linux+Sec · · Score: 2, Interesting
    My reference was SuSE 8.0, which was the most recent this summer when my book was written. Even something as simple as restarting IP Tables rules is done wrong in SuSE.

    SuSE first flushes existing rules and then adds new rules. Thus, for a short time there are no rules but the default for each chain is ACCEPT. They are saved only because networking has not yet been turned on. I suspect that this is more of an accident than intent because the correct solution is to first set the defaults to DROP, then add rules, then change the defaults to ACCEPT if that is your desire.

    There are other weaknesses in the current SuSE.

    --
    Bob Toxen, Author, Real World Linux Security, 2nd Ed.
    Security Consulting,