Red Hat to Release Enhanced-Security Linux

Klatoo55 writes "According to an article by Techweb, Red Hat will release Red Hat Enterprise Linux 4.0, which includes support for Security-Enhanced Linux, in 2005. Red Hat has been running this system with a published IP address asking for hackers to try to break the security. The last version was defeated within 45 seconds, but this new version (apparently to be the policy for the next Fedora) has yet to be cracked."

45 Seconds?

[Eberlin]

What happened? Someone ran a brute force root login with the pwlib dictionary or something? Maybe a quick ride with Nessus? Or was it a social engineer who managed to call someone and get the root password?

As has been echoed before time and again -- security is a process, not a product. Of course you'll have more secure products, but it's still up to a competent admin to make sure things are kept secure. Even then, you better have good backups because that one disgruntled guy who works in the mailroom on a machine already inside the firewall just might have an extra ace up his sleeve.

Other ways to improve Linux security?

[Debian+Troll's+Best]

RedHat's 'trial by fire' approach for their new security policy is a good one, and is something all distro makers should try. Nothing beats having your default security config probed and tested by the world's best crackers in a real life environment. But network security is only one piece of the puzzle. As the Windows community has demonstrated time and time again, trojans and spyware can be just as dangerous from a security point of view as network exploits. And while the problem may not be as severe on Linux due to the separation of the root user from the average day-to-day account, havoc may still be wreaked by a regular user downloading a package and installing it, and thus inadvertently installing a trojan.

It seems to me that our package managers (used by the majority of Linux users...not everyone compiles from source) are vulnerable to some type of subversion. They are not controlled or vetted by a central authority. There is no 'certificate' which can be attached to them to guarantee their purity. What the Linux community needs, I feel, is a type of central signing authority or cryptographically sealed DRM-compatible package management system. This could eliminate potential threats associated with trojaned Linux packages. Imagine a secure apt-get. Packages would be enveloped in a tough layer of crypt() security. They would be digitally signed by the Debian project manager, or even Ian Murdock for highly critical packages like the kernel. And it would be impossible to accidently load and install a trojan. Apt-get could even be modified to 'phone home' and let the Debian administrators know which packages where the most popular (and make security updating easier!) packages were being installed and to automatically e-mail users with news of package updates and 'special offers' from co-sponsors. I look forward to the community's response!

Re:Big Deal

[burns210]

yes, but a good core OS will limit the damage any 1 program can do... A common argument about windows is that it itself is secure, however the programs that run it(drivers/applications/etc) are insecure. In actuallity, even with a buggy/trojan program being run, a good OS would not allow it to reak havic on much of the system, let alone crash the entire computer.

All PR and no substance. . . .again

So now Red Hat is using the tired and cliche approach of getting PR by hosting a cracker contest. You would think that they'd have learned from previous examples. Just because a system hasn't been defeated in a cracker contest doesn't mean its secure. Security is a process not something you can shrinkwrap. The proper way to demonstrate the security of a product is through repeated, thorough code audits like some other software distributions are doing. Things must be looking dire indeed for Redhat if they're starting to make announcements of products like this ala another company we know and love.

Re:Invulnerable to MyDoom type virii?

[pavera]

Wrong,
By simply clicking on an attachment in any mail client in linux it will not execute... The user would have to save the attachment to disk, chmod it +x, and then execute it, and then, if the trojan wanted to write anything to disk outside of the users home directory, it would have to ask for the root password, and then if the user was that stupid, ok they really deserve to be infected with a virus. However, in a decently admined system the users don't know the root password, they don't need it ever, and they should never be installing programs. The amount of work it would take to install the trojan on linux would be a deterrent, it is also the deterrent to wide scale adoption by home users of linux.. because installing programs is just as difficult as installing trojans.

Security is too expensive?

[Emor+dNilapasi]

"But vendors and IT decision-makers widely believe it is too expensive to implement these more hacker-resistant security models, he [Tiemann] said."

So let me get this straight: US industry alone spent around half a billion buckaroonies cleaning up the last little virus/worm fiasco, we get about a half-dozen or so of these little gems per year, and yet it's TOO EXPENSIVE(tm) to engineer in security that would stop this kind of thing from happening?

So tell me, just who are these "vendors and IT decision-makers"? Or, to rephrase the question, just who are these drooling, incompetent, feeble-minded idiots who understand so little about security and the consequences of its failure? I'm asking because I want to make sure that i never, ever use (or heaven forbid, purchase!) any product that they have had anything to do with.

Mr. Tiemann, please tell us, did some people actually say this? Really? Because if so, we need to know which products, companies, and idiots to avoid. And I want some of what they're smoking.