[buug] Great Links re. Internet/Linux Security

Rick Moen rick at linuxmafia.com
Sun Aug 6 10:57:16 PDT 2000


begin  Zeke Krahlin quotation:

>> Only a real bonehead would put a server physically in a public
>> environment, and password-protecting LILO is just rearranging the
>> deck chairs on the Titanic.  
> 
> I'll pass this on to my FreeNetCubs board (including the "pdf" issue).
> Thanks!

Here's part of what's bothering me, Zeke (and I hope this doesn't strike
you as just ill temper):  _How_ can you decide that something is a
"great link regarding Internet/Linux security", before having a good
grasp of that topic?

I do not intend that as a rhetorical question.  It's a real one:
There's always a serious bootstrapping problem, when you're just setting
out to learn a subject, and are trying to decide what's good information
and what is not.  How can you determine which information is correct,
not yet knowing the subject yourself?  If you try to pass off the
problem on somebody else, by asking someone to recommend a source of
information, how do you determine _whose_ views to listen to?

I'm not raising this problem in order to provide a pat answer.  It's a 
thorny problem without any good, simple answer.  But it's a highly
relevant problem to always bear in mind, anyway.

It's worth bearing in mind particularly because so many people try to 
finesse it in some classically bad, ineffective ways.  One of the
numerous ways to go wrong is to decide that some information source must
be "good" if you can understand it and it seems to speaking with in 
confident, authoritative tone.

One of the better ways to deal with the problem is to test supposed
authorities by learning one small subset of the field, and seeing what 
the authority says about that part.  Also, see if what the authority
says is internally consistent.  Also, see if what he says seems to give
you greater insight and understanding.  Above all, be skeptical.  
Confident-sounding authorities can be and often are dead wrong, me
included.

Anyhow:  The notion of password-protecting the boot process presupposes
that random people are going to be allowed physical access to the
console (keyboard & monitor) and (usually) also the system box that
has the drives and motherboard in it.

Give the public physical access to the system box, and the game is over.
You then have no system security -- if only because the bad guys can
extract your hard drives and take them home.  You can play cat and mouse 
with the public, by password-protecting LILO, setting the BIOS so it
will not boot from removable media, password-protecting the BIOS, etc.,
but you've really already lost, if you allow physical access.

The notion of allowing physical access to server boxes was promoted by
Microsoft Corporation in order to sell MS Windows NT for boxes run by 
unwary business types.  Microsoft claimed that MS Windows NT Server
boxes could be deployed in the middle of one's workspace without
security risk, because NTFS partitions could not be read by hostile 
parties, e.g., from boot floppies.  This statement turned out to be 
_both_ a non-sequitur _and_ to rest on an incorrect premise:   It is 
a non-sequitur because the bad guys could always extract the hard drive
and break into it as an additional drive on their own NT box.  It rested
on an incorrect premise because the Linux community quickly created
Linux boot floppies incorporating NTFS filesystem support.

And so it goes.  Anyhow, getting back to my overall point, just as with
the "tip" about /etc/services, you can't just assume that this source of 
information is "good" just because it's there and you can follow it.

If can't find much wrong with the rest of those two pages except for a
mild Red Hat bias and the fact that Dave Wreski (the author) didn't
mention that the Tripwire security-auditing package he recommends is
proprietary software.  The publisher says it intends to open-source it
later this year, but has not done so yet.  There's already an
open-source (GPLed) equivalent by Rami Lehti of Finland, "AIDE", 
http://www.cs.tut.fi/~rammer/aide.html .

-- 
Cheers,                              "Open your present...."
Rick Moen                            "No, you open your present...."
rick (at) linuxmafia.com             Kaczinski Christmas.
               --  Unabomber Haiku Contest, CyberLaw mailing list




More information about the buug mailing list