Re: Linux and security
From: Johannes H. Ahlmann (softpro_at_gmx.net)
Date: 07/31/03
- Next message: Carl: "Re: Hiding files and encrypting stuff under Linux"
- Previous message: David: "Re: Linux and security"
- In reply to: David: "Re: Linux and security"
- Next in thread: Gary Cramblitt: "Re: Linux and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 31 Jul 2003 08:25:38 +0200
David wrote:
> At this point in
> time if you want a secure Linux box that you can actually do something
> with you still have to get your hands dirty. If not you will generally end
> up with something no more secure than a Windows machine that can't do much
> more than email and web browsing.
i totally agree and am extremely anxious to secure my system via getting my
hands dirty ;-). i think i did a pretty good job until now and might be
going to use some kind of a file monitor in the near future... yet, it is
not "pro active" enough for my taste! i think i'm gonna try "grsecurity" or
SELinux first, to make sure that any application/user only gets access to
the ressources he actually needs.
once i am satisfied that my system is as impenetrable as possible i will
very likely think about file monitors, my main focus, however, is "active
security" more than "knowing-what-happened-security". but, thinking about
your comments, it's perhaps a little naive to have absolutely no clue
whether one's system is still intact or has already been compromised...
> How can you say something like tripwire is overkill and hard to use when
> in the next paragraph you state you have "never used tripwire or similar"?
ok, that assessment had no basis in experience and might well have been
false. but you DO agree that it's quite a hassle to setup *gg*.
> You have to keep in mind that since virus' and worms that manipulate your
> personal files are currently not a widespread problem with Linux, your
> main concern often revolves around protecting the system files whose
> compromise could allow someone else to access or download your data. That
> is why we protect root and the system. Not because they are so important
> or irreplacable but because they hold the "master keys" to the users'
> data. You don't necessarily use file integrity software to track your data
> files that are frequently changing. You put it on the executables that if
> compromised allow someone else access to them.
i think you read my text a little out of context... i am the last person to
say that system security is of no importance and that everybody should use
win95 and live an anarchical lifestyle!
what i was saying was that i am rather confident in linux system security
and apart from glitches like the ptrace-bug it is rather hard on a
well-administered linux system to gain root access remotely. locally there
might be some ways and a serious hacker will find some loop-hole in any
event, but the system is rather secure in my opinion!
what i was saying was that viruses can have effects even on the perfectly
secure system because the user will (nearly) always have the right to
read/write his files, execute code and download files. with these three
premises there is a threat to his files that is independent of the system
used and this is why there will never be a system that there won't be any
viruses for!
> I deal with all of my family's and friends machines (aside from those who
> work in the field) and would have to say most home users don't have a clue
> and really don't care. Remember we are talking about home use here not
> business. If I didn't have other reasons to keep abreast what is happening
> I probably wouldn't care either. I would simply backup my files and spend
> more time at the local tavern.
i agree that noones is interested, but as i wrote in my last post the same
could be expected about car safety for example. but even without
legislation and law enforcement many people would still take a serious
interest in their tire-pressure, etc.
so, if one could make people aware of the very real threats to them (loss
of data, data manipulation, illegal activities performed by hacked
computer, ...) they might take an interest for the sake of their own
security! people don't check their tire-pressure everytime before the drive
off, but many keep in mind that their lives may depend on it and this
ATTITUDE is what i'd like to see with computer safety/security.
> A "drivers licence" to operate a home computer! You can't stand the
> thought of sifting through logs to see why something happened, yet you're
> willing to allow a bunch of politicians force you to obtain a "home
> computer operators permit" so you can surf the web?
COME ON!! i don't want a computer "driving licence"! i just said that we'd
better find a way to make the "dumb" users aware of the threats. your
reaction is like: "wow, no i won't wear some rubber thingy when having sex!
that is the most ridiculous thing i've ever heard" and go on in ignorance
about all the implications (aids, ...). i hate the idea of a "computer
usage license", but as seen with the cases of worms (code red, nimda), the
stupidity/unawareness of single users can have drastic effects on the
internet and world-wide stability!
thx for you "article". i stand corrected in many ways and have some new
insights about tripwire and file monitoring...
Johannes
- Next message: Carl: "Re: Hiding files and encrypting stuff under Linux"
- Previous message: David: "Re: Linux and security"
- In reply to: David: "Re: Linux and security"
- Next in thread: Gary Cramblitt: "Re: Linux and security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
