Slashdot Mirror
Reflecting on Linux Security in 2003
LogError writes "Here's a look at some interesting happenings with Linux security in 2003 with comments by Bob Toxen (one of the 162 recognized developers of Berkeley UNIX and author of "Real World Linux Security") and Marcel Gagne (President of Salmar Consulting, Inc. and author of "Linux System Administration - A User's Guide" and "Moving to Linux")."
I haven't been r00t3d.
Sweet.
printf("%s@yahoo.co.uk\n", uid[569754].name);
They even have documents that give a step by step procedure for stealing the Microsoft fonts and installing them on Linux systems! Notice in particular the instructions for the Tahoma font.
l
- formats/html_single/FDU.html#TRUETYPE
http://www.tldp.org/HOWTO/mini/FDU/truetype.htm
Your link is bad, it should be
http://www.ibiblio.org/pub/Linux/docs/HOWTO/other
Also, from the HOW-TO, "TrueType is a registered trademark of Apple Computer, Inc.", not Microsoft. I'm not sure if the 'Tahoma' font in particular is property of Microsoft.
Just thought that you should know.
Actually TrueType is an Apple invention and the trademark is properly credited. The Tahoma font is the property of Microsoft, as is Arial and many other fonts.
printf("%s@yahoo.co.uk\n", uid[569754].name);
minor nitpick. if you read the link you posted, you'll see that there's infact no WebDAV code in ntdll.dll (why would there be ?)
:)
WebDAV depends on some code in ntdll.dll, and it looks like you can feed WebDAV goop that it happily uses to exploit the BO in ntdll.dll.
So, webdav is the attack vector to remotely get at a problem in ntdll.dll. it's not substantially different than php triggering a bug in kmalloc()
My opinions are my own, and do not necessarily represent those of my employer.
I was trying to decide whether to mod you as Flamebait when I went back and looked at your posting history to look for troll footprints.
:)''
'' I agree with you completely, and i work for microsoft
You could have mentioned that you are a MSFT employee in your impassioned defense of MSFT here. I have Box Toxen's ''Linux Security'' book, its pretty interesting. But your post seems to be a big ''we're all as bad as each other so ignore the fact I am evil'' astroturf.
Something you might want to chew on is the different value proposition of being given control of sources for software for free, vs being trained into a dependent monkey for whatever MSFT give you. Merry Christmas!
Listen what Ms say in its advertisements about Linux Server security:
:-)
Take a look at the german MS advertisement
- no GUI for linux server on old hardware
- authentification with uncrypthed text as default
- no Kerberos support
- no smartcart authentification support
- no public key infrastructure with directory service
- no default cryptho file system
translated "the protection of sensitive business data can only partiell be done with Linux"
- bug fixes by "free will" contributors (may be okay for hobby applications, not for sensitive business data)
- few professional trained specialists
- Linux as a problem and cost trap
--- don't tell me this is FUD
Securityfocus belongs to Microsoft, that seems to be very likely. They don't seem to be experts in It security.
2003 was the year for LSM (Linux Security Modules) to become mainstream by the release of the 2.6.x kernel. Though LSM's basic idea is great, it doesn't at the moment include even a fraction of the required hooks (couldn't support PAX for instance!) so it is kind of useless.
In any case, the mainstream kernel still doesn't include buffer overlow protection for the userspace processes. It isn't protected itself either. Some smart people use Grsecurity and Propolice kernel patches to obtain both, but...
MS will release XP sp2 soon with "some tweaks" over the matter. Soon perhaps only the Linux boxes will be virtually breakable.
Nice going, kernel developers.