Slashdot Mirror

← Back to Stories (view on slashdot.org)

CNN on "hackers"

Posted by ryuzaki0 on from the stuff-to-read dept.

phil reed writes "CNN is running a special section on "hacking" called Insurgency on the Internet. I read part of it and winced, but other parts aren't bad. They have a dualing interview, featering Emmanuel Goldstein (Editor of 2600 Magazine) on the 'pro' side, and he gives a pretty good accounting of himself. On the other hand, there is some pretty lame stuff. "

1 of 93 comments (clear)

  1. Security Responses and Free Software (long) by Frater+219 · · Score: 4

    If we look at the history of responses to security threats, we see a trend towards greater preparedness and automation in response to threats. Ideally, this would make it easier for people to secure their (Unixoid) systems. However, for various reasons, this isn't exactly happening.


    Originally, it was considered acceptable to have a relatively open system and to tighten security only when that system was actively abused or harmed. This was partly due to simple trust, but also partly due to the fact that the consequences of security threats on Net systems weren't nearly as bad as they are today. There were very few malicious crackers, and because of the small size of the Net it was easy to track them down. Most security-hole exploitation was done in fun, and without doing damage.

    Later, after the RTM Internet Worm, it became expected that security holes would be reported as bugs, and that system maintainers would upgrade their systems to patch known holes. This is what we have CERT bulletins for --- to warn us of holes which have been discovered, so that we can secure our systems before they are exploited. In addition, we have systems such as SATAN that can diagnose existing, known security holes so that we can patch them. However, none of these measures are effective against a newly-discovered exploit which only the crackers know about.

    Now, however, the increasing dependence of both the global economy and global culture on the Net has made it essential that we keep ahead of the crackers. So we now keep copious logs of all network activity, and we have security packages that alert us to activities which might be a prelude to an attack --- such as portscans. Even if we don't know of a security hole in our systems, we can at least notice when someone else is looking for one. Some of these packages simply alert the sysadmin to suspicious activity; others actively firewall out a site from which they detect a portscan.


    Some free-software operating systems have kept up marvelously with this trend. OpenBSD, for instance, takes pride in being "proactively" secure, and sends regular security bulletins to the system administrator. Debian GNU/Linux also stands tall in security, making many logging and threat-detection packages easily available, as well as having reasonably paranoid security defaults. Debian's apt system also makes it trivially easy for system maintainers to keep up to date on security patches.

    However, despite these advances in security, it's still true that far too many "Joe Redhat" users get rooted every day. Some systems aren't keeping up --- and in a sense, because Unixoid systems run more network services and in fact are designed for network operation, a poorly-secured Linux-based system may be worse, security-wise, than Windows.

    Some would say "If a user doesn't know enough to secure his/her system, s/he deserves to get rooted." As a network systems administrator for a small college, I cannot accept that as a responsible answer. We encourage technically-minded students to put up Linux- and BSD-based hosts on our campus network --- not only for fun, but to encourage them to learn about these systems. However, if one of these students gets rooted, that exposes the rest of our network to greater hazard: something that I don't want to happen. Hence, I have a vested interest in ensuring that these students have good security on their personal systems, even though I can't go around auditing them.

    An inexperienced user needs more help making his/her system secure than does a seasoned sysadmin. We cannot afford to think of security as something that can be traded off for ease of configuration, system simplicity, or ease of use. Unless those who intend to deliver "free software for the masses" --- Red Hat Inc. and its ilk --- make their systems more "proactively secure", free software will not live up to its security potential. If this goes on, "Joe RedHat" will keep getting rooted, and Linux-on-the-Desktop will be a security disaster.