Because "better" != "perfect".
on
Hardening Linux
·
· Score: 4, Informative
Just because Linux is better than Windows does not mean that Linux cannot be improved.
If we could get the average Joe Bob Windows user to read a book about security, I'm sure we'd see a lot fewer Windows security breaches, too.
Maybe, maybe not. There are lots of books on Windows security out there, also. And lots of people buy them. Microsoft even tried to make patching easy. Microsoft even provided a firewall with WinXP-sp2.
All of which just suggests to me that the difference is in the user base (that's a compliment), not the technology.
I don't see it like that.
A good Windows admin can "secure" his system as well as a good Linux "admin". The difference is how much work and effort are required.
I like Ubuntu. By default, Ubuntu installs with no open ports. So, securing Ubuntu against worm attacks takes no effort on a default installation.
But securing Windows against worm attacks requires constantly reading the vulnerability disclosures. Or adding an additional layer that requires a different skill set.
It's only when you get beyond the default installation that admin skills become important. The current problem is that there are so many older versions of Windows out there were sold with a very open default installation that are still vulnerable.
Just assign a secondary IP address to that card. Bind9 should be able to handle multiple addresses per card, as long as they aren't virtual. The problem appears to be how the broadcast packets are received and there really isn't any way to handle that with a virtual card.
But a secondary address should be able to handle it as the initial request will go to the primary address, an address will the issued, and future updates will be seen on that same card, but via the secondary address.
Instead of hacking IPmasq'ing to work with P2P protocols, just implement a system where there are enough addresses for everyone's PC, phone, etc.
As for you ISC DHCP problem, you can assign whatever address blocks you want to. You just need to setup the correct criteria and have a way to recognize it. The easiest way is to assign one block to particular MAC's an a different block to regular boxes.
I'll probably get modded into oblivion for this, and I may indeed be quite wrong, but is there anything wrong with allowing "materials critical of evolution" to be taught?
Not that I can see. The only problem is FINDING anything that is scientific and contradicts evolution.
Correct me if I'm wrong, but is there really no scientific basis for any criticism of evolution?
So far there isn't.
Evolution is the foundation of our current understanding of Biology. Everything from DNA to resistant viruses is predicted by evolution.
Isn't it only fair - and rather scientific - to explain both supporting and critical evidence?
Sure. The problem is FINDING anything that is both scientific and critical of evolution.
Great. Now how are you going to grade someone's paper in science class if he goes on about mystic cabals casting spells that drag objects based upon their psychic signatures towards Hell at the center of the Earth?
How about tests? Will there now be a "E. Fill in your explanation:" for every question?
Science class becomes indistinguishable from Creative Writing 101.
Security is all about reducing the avenues of attack.
If a Linux box is 100% secure from digital attack via the Internet (no ports open), it is still vulnerable to someone breaking into your office and taking the box. Big fat hairy deal. But it is still safe from that worm.
Having a kernel API for drivers allows developers to stay away from the mainstream kernel.
Yes it would. As long as it had every API they needed. Otherwise...
This will enhance the stability of the kernel in general and also allow hardware vendors to support Linux with less effort.
I don't understand the first half of that statement.
I haven't seen any stability problems in the Linux kernel in, literally, YEARS of use.
As for the second part of that statement, maybe yes, maybe no. It depends upon the API and those other developers. Which would bring it all back down to the level of "show me the code".
Rather than discussing this in generalities, focus on the code.
But now, all new sites should be *.*.cc (slashdot.org.us).
The ONLY issue here is the.com,.org,.net (.edu,.mil,.gov) addresses.
Who cares? If the other countries don't want the US to control the.com addresses, they don't have to use them. They can setup their own root servers and manage them. Their ISP's can point to those servers and everyone in that country can bitch at their local government if they don't like it.
Country codes are far more scalable than.com, anyway.
... IBM now has to provide extensive documentation to convince the Court that they do not have a 2.7 kernel... while SCO simply claims that IBM is hiding the 2.7 kernel and will "prove" it once IBM finally complies with SCO's request to turn over everything done by anyone, ever, on any project under any contract.
WAIT! Before you hit that "FUNNY" mod!
SCO HAS demanded access to information/code that a developer (who may have existed) may have written on a computer that may not have been uploaded to a server because it may have been in a "sandbox" and THAT code may be the code necessary for SCO to "prove" its case.
Because maybe that maybe developer may have done something that may not have been allowed under a contract that may have covered what that maybe developer may have done on a machine that might have existed, in a sandbox that might have existed, that may not have any other record.
Anybody can make a ridiculous metaphor that makes something TOTALLY unrelated look accurate.
It is not "TOTALLY unrelated". It illustrates how security is not affected by popularity. It shows that your position is incorrect.
Banks aren't particularly secure, they simple require a different risk.
Thanks for playing! It's been fun!
If you ever visit Reality, drop in and we'll have a beer.
I can walk into a bank with a gun and steal money.
I think I saw that movie, too. It was pretty good. Too bad it was so Hollywood and unrealistic.
Now, depending upon how ruthless I wish to be, I could very likely get away with it (you'd be shocked how often banks are robbed successfully (in the short term.)
192.50.74.27 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:49 PST All 1663 scanned ports on 192.50.74.27 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 38.322 seconds
========
195.200.183.229 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:51 PST Interesting ports on 195.200.183.229: (The 1661 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 62.432 seconds
========
200.218.224.224 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:53 PST All 1663 scanned ports on 200.218.224.224 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 39.839 seconds
========
202.123.223.148 I killed the process after 2 minutes.
========
210.109.194.231 I killed this one too.
========
211.155.246.38 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 10:01 PST All 1663 scanned ports on 211.155.246.38 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 38.386 seconds
========
Okay, I'm stopping there. I was under the impression that I'd be seeing some open ports. I can only verify port 80 on ONE of those so far.
How OLD are those entries? Why does it appear that the problem, if it ever existed on those machines, has been cleared already?
No. It will keep coming up because people who don't understand security will keep bringing it up.
There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.
The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.
As for the worm, I didn't say it was a flaw in Linux, I was merely pointing out that security issues that affect Linux systems will rise as the success of Linux rises.
That's what you believe. Yet my bank example shows that popularity has nothing to do with security.
Maybe you should mod that as 'master of the obvious', but it doesn't make it any less accurate.
That is because your statement is as inaccurate as possible already.
By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.
Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!
What's that? "Number of Sites: 0-2"?
That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?
Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.
This is not a flaw in Linux. It is a vulnerability in a script written in PHP that a sysadmin may install on a Linux box.
This has nothing to do with whether "valuable and important data" is stored on a Linux box.
If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.
Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.
If the Linux distribution does not run Apache by default, it is safe. If Windows does not run IIS by default, it is safe. So far, so good.
If the Linux distribution does not run PHP by default, it is safe. If Windows does not run their scripting system by default, it is safe. So far, so good.
If the Linux distribution does not run those particular scripts by default, it is safe. If Windows does not run vulnerable scripts by default, it is safe. So far, so good.
So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.
Both can be made vulnerable by installing systems/scripts that are not part of the default system.
But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.
The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.
Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.
Or can it exist as a robust business model that can compete with commercial competitors?
Open Source is a software development model. It is not a business model.
A business model can be based upon selling items/services/etc related to systems developed via the Open Source model, but they are not the same.
I agree with you that Open Source will live on regardless of money invested by venture capitalists. The question is, at what level. Hobbyists? Tinkerers?
Given that Linux advanced to it's current state almost 100% via the "hobbyist" and "tinkerers", is that a bad thing?
More funding is always nice. It allows people to devote more time to it. But it won't make or break a project. The community is what decides that.
I've been seeing more and more paid programming positions advertised on my campus' job site for open source projects. As cool as I think it would be to take a job like this when I get out of school, I don't want to go somewhere where the floor will fall out from underneath me.
Again, if that happens, it is because of a failure of the business model, not the Open Source development model.
History is littered with failed software companies that used closed source. Why should Open Source guarantee success? It's all about the business model.
Anyway, I'm not trying to predict doom for OSS, I'm just saying that this is a valid discussion, and I'm curious to hear what people have to say.
And here is what I say... don't look to Open Source as a substitute for a valid business plan.
Look at the business plan. That is what will make or break the business.
When you look at it from a power structure model, it becomes crystal clear.
With evolution, there is no need to include god. How/Why life started millions/billions of years ago really doesn't matter to modern science. God is no longer necessary to explain why some people get sick and others do not.
Since god is not needed, certain people who derive their "authority" from god have a problem. The established churches can accept evolution... now. They already have their power base.
The people who are pushing ID are the ones who are trying to justify their "authority" by questioning the established authority of Science via the Theory of Evolution.
That's all. They want the authority, but they don't want to spend the time to advance in the Catholic church nor do they have the mental capacity to become a leading scientist. Which is why you see people like Behe publishing books. It's an easy way to become an "authority" in a field when you don't matter much in any other field.
#1. Show how ID is not scientific because it cannot be falsified.
#2. Because of #1, the people who try to push ID as an "alternative" "scientific theory" should be identified as fundamentalists intent upon using the classrooms to push their own religious beliefs upon students.
There's nothing wrong with being a fundamentalist and believing in ID.
There is a LOT wrong with trying to use the classroom to indoctrinate students with those fundamentalist beliefs.
Have the meeting be the first thing every day. Bring donuts. The last thing everyone does everyday is to write up their progress and any issues so they can be presented at the next morning's meeting. Done correctly, this will take 2 minutes per person unless there are some real issues to decide. Everyone but the people involved at the point can be sent back to work.
The coding manager is a good idea, if the project involves writing code. If the manager cannot understand the issues, he cannot manage correctly.
We have names for employees like you - hourly wage earners. Someone who comes in at 7:30, punches the clock, does exactly as they're told, and goes home after they have 8 hours in, and is never expected to give anything more.
And you seem to be under the impression that that is a bad thing. Why?
Honestly, there's very little use for those employees in an IT environment.
Again, why?
I would make sure an employee with such an attitude was at the bottom of the pay scale, and would be constantly turned down for promotion, because it's obvious they have no motivation to better themselves.
It's kind of difficult to "better themselves" when they're at work all the time.
On the other hand, someone who shows initiative - takes responsibility for things and does things before I ask - they're valuable, and paid accordingly.
Do you know what a manager does? The manager manages resources, time, people and money to get the projects done.
What you just said is that employees who take over those functions are more valuable than employees who don't.
Well DUH!!! But the REAL problem is that the MANAGER is not effective.
Don't blame the employee for putting in 8 productive hours a day... but not also taking on the manager's responsibilities.
I can micromanage my employees, but I really don't have the time.
Providing management for the employees is not the same as micromanaging them. If you believe it is, then your management training is flawed.
If you want to find a boss like you describe, I've seen many of them overseeing assembly lines for the big 3 automakers.
Probably. Good managers can be found all over.
As can bad managers.
But don't confuse bad management with bad employees.
A good Windows admin can "secure" his system as well as a good Linux "admin". The difference is how much work and effort are required.
I like Ubuntu. By default, Ubuntu installs with no open ports. So, securing Ubuntu against worm attacks takes no effort on a default installation.
But securing Windows against worm attacks requires constantly reading the vulnerability disclosures. Or adding an additional layer that requires a different skill set.
It's only when you get beyond the default installation that admin skills become important. The current problem is that there are so many older versions of Windows out there were sold with a very open default installation that are still vulnerable.
Just assign a secondary IP address to that card. Bind9 should be able to handle multiple addresses per card, as long as they aren't virtual. The problem appears to be how the broadcast packets are received and there really isn't any way to handle that with a virtual card.
But a secondary address should be able to handle it as the initial request will go to the primary address, an address will the issued, and future updates will be seen on that same card, but via the secondary address.
#1. It allows you to run multiple boxes at home WITHOUT having to pay extra for a "family" connection plan.
#2. Cheap and easy way to block worms and such.
Instead of hacking IPmasq'ing to work with P2P protocols, just implement a system where there are enough addresses for everyone's PC, phone, etc.
As for you ISC DHCP problem, you can assign whatever address blocks you want to. You just need to setup the correct criteria and have a way to recognize it. The easiest way is to assign one block to particular MAC's an a different block to regular boxes.
The Kansas Board of Education says that "science" no longer is bound to NATURAL explanations.
So, by Kansas' new "definition" of "science", then ID is "science".
In a related story, the Ghostbusters cartoon is being recommended for inclusion in Honor's Physics.
Evolution is the foundation of our current understanding of Biology. Everything from DNA to resistant viruses is predicted by evolution.Sure. The problem is FINDING anything that is both scientific and critical of evolution.
Great. Now how are you going to grade someone's paper in science class if he goes on about mystic cabals casting spells that drag objects based upon their psychic signatures towards Hell at the center of the Earth?
How about tests? Will there now be a "E. Fill in your explanation:" for every question?
Science class becomes indistinguishable from Creative Writing 101.
Security is independant of popularity.
There is nothing about popularity that makes a system more or less secure.No.No. FEWER banks are robbed because they have BETTER security.
In order to get down to ZERO banks robbed, you'd have to get to PERFECT security.Because their security is not perfect.Now you're confusing "risk" with "security".
The two are not the same.
Security != Popularity
Security != RiskRead "Attack Trees" by Bruce Schneier.
http://www.schneier.com/paper-attacktrees-ddj-ft.
Security is all about reducing the avenues of attack.
If a Linux box is 100% secure from digital attack via the Internet (no ports open), it is still vulnerable to someone breaking into your office and taking the box. Big fat hairy deal. But it is still safe from that worm.
I haven't seen any stability problems in the Linux kernel in, literally, YEARS of use.
As for the second part of that statement, maybe yes, maybe no. It depends upon the API and those other developers. Which would bring it all back down to the level of "show me the code".
Rather than discussing this in generalities, focus on the code.
I've often noted that when faced with facts, the loser will make some braggart statement instead of attempting to present facts of his own.
And you're another example of that.
I've posted links and facts. You only have your claims based upon your complete lack of understanding of security. Buh bye!
Those TLD's were great back at the beginning.
.com, .org, .net (.edu, .mil, .gov) addresses.
.com addresses, they don't have to use them. They can setup their own root servers and manage them. Their ISP's can point to those servers and everyone in that country can bitch at their local government if they don't like it.
.com, anyway.
But now, all new sites should be *.*.cc (slashdot.org.us).
The ONLY issue here is the
Who cares? If the other countries don't want the US to control the
Country codes are far more scalable than
... IBM now has to provide extensive documentation to convince the Court that they do not have a 2.7 kernel ... while SCO simply claims that IBM is hiding the 2.7 kernel and will "prove" it once IBM finally complies with SCO's request to turn over everything done by anyone, ever, on any project under any contract.
WAIT! Before you hit that "FUNNY" mod!
SCO HAS demanded access to information/code that a developer (who may have existed) may have written on a computer that may not have been uploaded to a server because it may have been in a "sandbox" and THAT code may be the code necessary for SCO to "prove" its case.
Because maybe that maybe developer may have done something that may not have been allowed under a contract that may have covered what that maybe developer may have done on a machine that might have existed, in a sandbox that might have existed, that may not have any other record.
If you ever visit Reality, drop in and we'll have a beer.I think I saw that movie, too. It was pretty good. Too bad it was so Hollywood and unrealistic.Really? I would be? Let's see.
http://www.fbi.gov/ucr/cius_02/pdf/02crime2.pdf
So, the FBI records 402,637 "robberies". Of which, 2.3% are bank robberies.
So, all other robberies account for 97.7% of the total. But banks account for only 2.3% (or about 9,261 bank robberies).
But you think that "banks aren't particularly secure"?Strange. I mean, since murder would normally be seen as having "repercussions" that are "more severe" and all. But the FBI records 16,204 murders.
Yet more murders than bank robberies.Nope. The analogy is solid.
It's just that the facts seem to contradict your position.
Anyway, if you're ever in the neighborhood of Reality, stop in for a beer.
192.50.74.27
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:49 PST
All 1663 scanned ports on 192.50.74.27 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 38.322 seconds
========
195.200.183.229
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:51 PST
Interesting ports on 195.200.183.229:
(The 1661 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 62.432 seconds
========
200.218.224.224
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:53 PST
All 1663 scanned ports on 200.218.224.224 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 39.839 seconds
========
202.123.223.148
I killed the process after 2 minutes.
========
210.109.194.231
I killed this one too.
========
211.155.246.38
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 10:01 PST
All 1663 scanned ports on 211.155.246.38 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 38.386 seconds
========
Okay, I'm stopping there. I was under the impression that I'd be seeing some open ports. I can only verify port 80 on ONE of those so far.
How OLD are those entries? Why does it appear that the problem, if it ever existed on those machines, has been cleared already?
I'm not seeing anything on my logs.
Why don't you post 10 of those "large number of IP addresses" so substantiate your claim?
There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.
The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.That's what you believe. Yet my bank example shows that popularity has nothing to do with security.That is because your statement is as inaccurate as possible already.
By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.
And security is why this worm will not do much damage.
http://securityresponse.symantec.com/avcenter/ven
Look for "Number of Infections: 0-49".
Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!
What's that? "Number of Sites: 0-2"?
That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?
Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.
This is not a flaw in Linux. It is a vulnerability in a script written in PHP that a sysadmin may install on a Linux box.
This has nothing to do with whether "valuable and important data" is stored on a Linux box.
If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.
Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.
Let's look at this logically.
If the Linux distribution does not run Apache by default, it is safe.
If Windows does not run IIS by default, it is safe.
So far, so good.
If the Linux distribution does not run PHP by default, it is safe.
If Windows does not run their scripting system by default, it is safe.
So far, so good.
If the Linux distribution does not run those particular scripts by default, it is safe.
If Windows does not run vulnerable scripts by default, it is safe.
So far, so good.
So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.
Both can be made vulnerable by installing systems/scripts that are not part of the default system.
But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.
The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.
Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.
A business model can be based upon selling items/services/etc related to systems developed via the Open Source model, but they are not the same.Given that Linux advanced to it's current state almost 100% via the "hobbyist" and "tinkerers", is that a bad thing?
More funding is always nice. It allows people to devote more time to it. But it won't make or break a project. The community is what decides that.Again, if that happens, it is because of a failure of the business model, not the Open Source development model.
History is littered with failed software companies that used closed source. Why should Open Source guarantee success? It's all about the business model.And here is what I say
Look at the business plan. That is what will make or break the business.
When you look at it from a power structure model, it becomes crystal clear.
... now. They already have their power base.
With evolution, there is no need to include god. How/Why life started millions/billions of years ago really doesn't matter to modern science. God is no longer necessary to explain why some people get sick and others do not.
Since god is not needed, certain people who derive their "authority" from god have a problem. The established churches can accept evolution
The people who are pushing ID are the ones who are trying to justify their "authority" by questioning the established authority of Science via the Theory of Evolution.
That's all. They want the authority, but they don't want to spend the time to advance in the Catholic church nor do they have the mental capacity to become a leading scientist. Which is why you see people like Behe publishing books. It's an easy way to become an "authority" in a field when you don't matter much in any other field.
It's good to see the fundamentalists who want to push their religion in the classroom have found /. and learned how to work the moderator system.
#1. Show how ID is not scientific because it cannot be falsified.
#2. Because of #1, the people who try to push ID as an "alternative" "scientific theory" should be identified as fundamentalists intent upon using the classrooms to push their own religious beliefs upon students.
There's nothing wrong with being a fundamentalist and believing in ID.
There is a LOT wrong with trying to use the classroom to indoctrinate students with those fundamentalist beliefs.
Quantum Theory has many, Many, MANY experiments showing that it correctly predicts the results.
... they have nothing.
Anyone can come up with any new "theory" they want. And they may be able to get it published.
But without the first experiment showing that they can do something that quantum theory cannot predict
Have the meeting be the first thing every day. Bring donuts. The last thing everyone does everyday is to write up their progress and any issues so they can be presented at the next morning's meeting. Done correctly, this will take 2 minutes per person unless there are some real issues to decide. Everyone but the people involved at the point can be sent back to work.
The coding manager is a good idea, if the project involves writing code. If the manager cannot understand the issues, he cannot manage correctly.
What you just said is that employees who take over those functions are more valuable than employees who don't.
Well DUH!!! But the REAL problem is that the MANAGER is not effective.
Don't blame the employee for putting in 8 productive hours a day
As can bad managers.
But don't confuse bad management with bad employees.