Re: [linux-security] Re: Checking remote servers

[Leigh Porter <leigh wisper net>]

Michael H. Warfield wrote:

>         Is any of this 100% fool proof.  No.  It doesn't have to be.
> You should understand more about your system than the person trying
> to break into it.  If your preventative measure slow him down enough
> that he eventually trips over some of your alarm measures, changes
> are very good that you will catch anyone attempting to tamper with
> the system.  You can layer on enough security perimeters, check
> points, auditing, alarms, etc, etc, etc to make a system a pretty
> tough nut to crack even if they KNEW what you had on the system.

Yes but most admins do not understand more than the attacker, like
with systemsthat come pre-configured to gateway SMTP mail to the whole
net, systems need to be supplied with security-aware defaults.

>         Having an OS with a publicly available kernel source is a
> security advantage.

It can also be a dis-advantage, see below. Wether the advantages of
publicallyavaliable source (Security flaws get found sooner, fixed
sooner) or the advantages of ono=publically avaliable source (Flaws
may never get found, but if they do may take forever to get fixed) are
better, well..

>  The only way the individual who published the three "getadmin"
> Windows NT exploits could have known about those three archane tricks
> (one was writing to a peculiar offset off of a global structure) was to
> have some sort of sources (not that anyone would admit that).  As soon as
> one was fixed, he posted the next.  They were just a little too "peculiar"
> in what they exploited.

Yes, this was odd. MS has liscenced the NT source to quite a few
companies now, itwould not take much for the source to leak out. This
is a problem of attackers having access to source nobody else has
access to, obviously putting them at an advantage!

>         Just because YOU, Joe Blow public, doesn't have sources, it
> doesn't mean those same sources are not available to the crackers.
> Ever take a peek at some the the hacker/cracker "toolz" CD's.  Don't
> believe that they don't have sources to a lot of this stuff...

NT kernel source code on a "toolz" cd ;-) That would be interesting!

>         BTW...  Anytime someone uses the word "obviously" its not.  Lot's
> of security people share techniques and information.  That's how we improve
> security.  We learn from each other.

I did not mean not sharing techniques and information, I meant the
generalsecurity overview - we have this firewall here, this acl there
etc.  Sharing information is not like sharing company security policy!

> > It is also apparent that many people who run Linux systems do not
> > really know much about security or where to keep track of bugs and
> > updates which makes Linux a prime target not to mention it's
> > popularity!
>
>         To make this statement about Linux and not say it about everyone
> is totally bogus.

Ok sorry, I cannot disagree here!

>         Oh oh...  Someone's forgetting about spoofing...  :-)

Ok so people can spoof, still, a peopery configured router/firewall is
better than nothing.

>         Sorry about the rant.  It just raises the hair on the back
> of my neck when I hear some "hide it!  hide it!  hide it!"
> individual complains that publicly available sources were somehow a
> security risk.  A security professional should know better (assuming
> that's what this person is).

I am not a security professional :) I am not a hide it person,
publically avaliable source code has done more for Linux than anything
else, apart from maybe the hundreds of people who have coded for it.

Publically avaliable source does however mean that it is a lot easier
for people to find security flaws in the OS, if the source code is
sealed behind closed doors then the security flaws that are there may
never be found then again when they are found they will take a long
time to be patched and may never be patched!

[mod: Reformatted.... Please take the time to make your posts
readable.... Even with vi, it's just a few minutes of work, and it's
worth it if you're going to share the output with thousands of
others. -- REW]


--
Leigh Porter