PCWeek Summarizes hackpcweek.com Test

Banraeth writes "This week's PC Week contains a story about the results from their hackpcweek.com security test site. They explain the object of the test, how many attempts they got, the structure of the attempts and the way someone finally got in. The article reads really well and very clearly explains the anatomy of a break-in for those of us who aren't Linux security gurus. "

Inconsistancies in the article.

[Dast]

PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement.

Well that is very interesting isn't it. Then why weren't the available security fixes for redhat applied. Bah. They went to the trouble of getting service packs for NT, but couldn't rpm -Uhv *

While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system.

Well isn't that special. http://www.redhat.com/corp/support/errata/rh60-err ata-general.html

Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.

Last I checked, no hole in the kernel was exploited. As for the other components, you buy from redhat to get the central infrastructure. You could roll your own distro if you wanted to worry about updating all of the individual packages. When you buy a distro, you pay a company money to package things for you, so when you need an update, you go to them.

The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them

Again wrong. I don't use debian myself, but I believe they have a system for doing just that in a much more secure manner.

The bottom line is daunting: Don't let your guard down--ever.

Right. Basically like they did by not applying the fixes put out by redhat and using unaudited cgi scripts.