Re: Secure Distros

[ABrady <kcsmart kc rr com>]

On Mon, 15 Oct 2001 12:59:48 -0700 (PDT) Marcus <yoshi_mon yahoo com>
imparted to us:
> Recently I was trying to help out a linux newbie with his box. 
> Someone had installed
> Slackware on his system and done a rather poor job of it.  A few
> examples:  A total of 10
> partitions on an 80 gig drive, yet key mounts were running low on
> space.  Even though SSH
> was installed and running on the system, telnet and rsh were still
> open and running. 
> While securetty was present, sshd allowed root logins with no IP
> restrictions.  Anonymous
> FTP was up and running.  The list sadly goes on...
> 
> Granted, that in the hands of an administrator that knows what they
> are doing, the
> examples I mentioned would not be cause for alarm.  However, in the
> hands of a linux
> newbie, this box was trouble waiting to happen.  Thus we decided that
> the best course of
> action was to reinstall linux from scratch and do it right.
> 
> Being no stranger to giving this kind of help, I told the user to go
> download RedHat v6.2
> and come back to me when they had the CD ready to go.  My reasoning
> for choosing RH v6.2
> was multifaceted:  1)  RedHats install scripts are excellent and very
> easy for a new
> user.  2)  The v6.2 distro, while a bit old, has all the tools a user
> needs to get
> started.  Since the kernel tops out at very stable 2.2.19, a newbie
> can compile/install
> that as their first kernel upgrade project and feel safe in knowing
> that they have a
> stable kernel.  3)  RedHat has proven itself to be a stable distro. 
> While slackware and
> many other distros have/will be around for a while, few can match
> RedHats support and
> user base.
> 
> Confident that my reasoning was sound, I was a bit shocked when the
> user said he did not
> want RedHat, period.  Upon asking why he stated that RedHat was not
> secure and my
> arguments to the contrary fell upon deaf ears.  He insisted that we
> use Slackware because
> it was more secure.
> 
> Since this encounter I have done some digging and found that across
> many message boards
> there seems to be the prevailing thought that RedHat (Regardless of
> the install.) is less
> secure than any other distos.  Having used RedHat many times to
> install the very basic
> system components, and then building the rest up from tarballs and
> trusted RPMs, I fail
> to see the logic in this general consensious.
> 
> My question then is, why is RedHat, in my opinion, unjustly labled as
> a "insecure"
> distro?  How is RedHat so different that in the hands of a
> knowladgeable administrator,
> whom if where to take RedHat and another distro, use them both to
> build a base system and
> then configure the rest by hand, be perceived as insecure.

Wild guess is all I can offer: FUD spread by anti-RH and
pro-debian/slackware zealots. Add in that RH is usually ahead of those
in tools and libraries and such (and therefore more likely to encounter,
shall we say, missed bugs) and one has the formula for clsong
cooperative minds.

Though zealotry can persuade some people, larger numbers are turned away
in the absence of valid evidence (even circumstantial) and a little
resoned conversation. Generally the people who start these things almost
foam at the mouth once they get into their reasons for their beliefs.

I doubt seriously if the person you were trying to help could even give
reasonable explanations for why he thought RH unsecure. Answers such as
"I was told......" and "I heard about one case..." should be pretty
common. Most likely his information came from others that also don't
know, and who were, in turn, supplied with information by still others.
Most can't supply more than anecdotal evidence, mainly because most
don't come to these conclusions through experience. Generally there are
a few people who reach the conclusions they have, right or wrong though
they may be. Most others follow those conclusions unquestioning.

How to counter this thinking? Gentle persuasion, demonstration, an offer
to test things and see how they work. If those fail, drop it because
those with close minds generally can't be coaxed into even hearing other
things. Arguing won't work. An offer to install things, show them how to
actually secure things themselves, explain what does what and why, etc,
and maybe even showing them how insecure one of the "experts" left their
machine when the distro is supposedly so much more secure than RH. Those
persuade. But only with folks that have an open mind to the matter.

That said, some have valid reasons for their choices of distros.
Security, however, falls back on the person administering. As I like to
say, my mom & dad may have raised me to become what I was when I left
their protective cover, but I am responsible for who I am from that time
forward. The same applies to the security of the boxen.

-- 
Excuse my english. I went to US public school.