Re: Certifying a RedHat Install

From: Thomas Corriher (thomas_corriher_at_earthlink.net)
Date: 07/15/04

  • Next message: Eric Gunnett: "Re: Certifying a RedHat Install"
    Date: Thu, 15 Jul 2004 17:34:30 -0400 (EDT)
    To: Focus Linux List <focus-linux@securityfocus.com>
    
    

    > My client wants me to certify there are no back doors in
    > the RedHat 9 server we are going to deliver.

    That cannot be done. Even tightly controlled monolithic
    corporations like Microsoft cannot prevent rouge programmers
    from sneaking in back-doors; as in the "Netscape engineers
    are weenies" exploit that existed in IIS years ago. If you
    want to eliminate liability for yourself then insert a "best
    effort but no guarantees" clause into the contract, and make
    certain there is no confusion about it. Be sure to cite how
    EULAs always disclaim all responsibility, and also have one
    of Microsoft's EULAs printed out with the critical sections
    highlighted.

    For security, Linux gives the following benefits (among
    others):

    1 - Better design as security was built from the beginning
    into every facet, and it inherited from Unix 30+ years of
    refinement in network operating systems.

    2 - More scientifically tested and extensively peer reviewed
    at every level because of it being open source while
    prominent in the most hostile environment -- the Internet.
    Microsoft's own Balmer admitted that it would cause a
    computer security catastrophe if Windows code were ever
    given the same scrutiny by being open to the public --
    damning remarks you might want to have available.

    > Question is what's the best way for us to certify this? *
    > rpm -Va ? * A global md5 on each file?

    Everything I wrote still applies. Furthermore, did Red Hat
    insert a back door, or did they miss someone else's? RPM is
    little help in those cases.

    Scientific methodology, merit (not marketing) based
    evolution of using the best from the global programming
    community, and peer review are some security benefits of
    Linux. I suggest you do not lessen these things by using a
    corporation like RH, and use a distribution that is more
    open in the community. Red Hat's distribution (not Fedora)
    is not getting peer reviewed as it should, and their
    mis-behavior is directly responsible for that. Ultimately,
    even when dismissing the technical arguments, you should
    look elsewhere for reasons of professional ethics. Would
    you be doing any service to move them from one company's
    lock-in to just another blood sucking company with dirty
    tricks and the type of EULAs most people have come to
    despise? They are trying to move to a more open and secure
    system, so using RH only betrays their trust. Before you
    dispute this, carefully consider how you could review RH's
    "enhancements" for security issues. What hurdles would you
    need to cross to do it? Then consider the chilling effects
    upon security, openness, and community. They play words
    games and stretch the GPL to its limits, but behind their
    smoke something is happening that is very wrong and
    destructive to Linux. Don't be part of something like that.

    > Also, what's the best way to minimize liability if they
    > are hacked? I don't want to get sued because the were
    > negligent.

    Tell the truth, the whole truth, and nothing but the truth.
    Make sure it is in writing and signed.

    -- 
      Thomas Corriher
      A.I.M.: corriherct
      phone: 336-391-2713
      "Welcome to Mrs. Bush, and my fellow
      astronauts."
        -- George W. Bush
    

  • Next message: Eric Gunnett: "Re: Certifying a RedHat Install"

    Relevant Pages

    • [Full-Disclosure] FWD: The journal of the black fist
      ... "I stay high to separate truth from lie." ... THE TRUTH IS OUR WEAPON OF CHOICE. ... further their status among peers and/or gain respect. ... Many security enthusiasts have accepted this myth as truth. ...
      (Full-Disclosure)
    • [Full-Disclosure] FWD: The journal of the black fist
      ... "I stay high to separate truth from lie." ... THE TRUTH IS OUR WEAPON OF CHOICE. ... further their status among peers and/or gain respect. ... Many security enthusiasts have accepted this myth as truth. ...
      (Full-Disclosure)
    • Re: New CWShredder update available
      ... To the "person" that calls himself an MVP: ... which one may supplement and fortify their security. ... that your ego far outweighs your ability to face facts and truth. ... and avoid truth and reality for all I care. ...
      (microsoft.public.security)
    • Re: New CWShredder update available
      ... To the "person" that calls himself an MVP: ... which one may supplement and fortify their security. ... that your ego far outweighs your ability to face facts and truth. ... and avoid truth and reality for all I care. ...
      (microsoft.public.security.virus)
    • Re: New CWShredder update available
      ... To the "person" that calls himself an MVP: ... which one may supplement and fortify their security. ... that your ego far outweighs your ability to face facts and truth. ... and avoid truth and reality for all I care. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)