[buug] Great Links re. Internet/Linux Security

Fri Aug 11 09:56:06 PDT 2000

I'm so sorry I missed the flamewar.  

That being said, some interesting observations I have about Linux
security, based on real-world experience.

1.  There is no substitute for good physical security.  Especially on the
Intel platform, if somebody has physical access to the box, there's going
to be little to stop them from gaining access to the data.  This is why
every datacenter I've ever been in has uber-anal security.

2.  Linux, as software goes, is a reasonably secure operating system when
properly configured.  Unfortunately, many Linux distributions (Debian,
noteably, NOT being one of them) have bad default security policies.  In
all cases, however (even with Debian), there's no substitute for good
sysadmin practices.

3.  As with anything in life, test frequently and often.  If you never try
to "hack" your way in to your own equipment, you'll never know how secure
your environment is.  Added bonus: hacking requires critical thinking
skills, something that is a Good Thing to exercise, anyway.

4.  Most importantly, encrypt frequently and often, and know how to
properly use encryption tools.  Assume that any data on your machine that
is in cleartext can be read by anybody, regardless of the security
permissions on the machine.  And, for deity's sake, keep your private
keysets on a floppy that you keep in your pocket, and ideally don't
unencrypt stuff on a multi-user machine (I keep a box around that only
runs in single-user mode specifically for performing crypto functions).

5.  Lastly, risk assessment is an important part of security.  Obviously,
if you run a small semi-public shell server like I do, you have different
security requirements than a bank.  A super-tight box is great, but it may
be unusable.  Learn about the implications of your day-to-day computing
activities, and make intelligent decisions on the level of risk you want
to accept.  This is perhaps the biggest mistake most Windows users
make: they allow all sorts of cookies, JavaScript, VBScript, etc. full
access to their systems without considering the implications of each in
the environment they work in.  (Personal note: the first thing I did when
I installed MSOutlook a long time ago was wander through the configuration
options.  VBScript in E-Mail?  Hell, no!)  

Keep this in mind: Even Windows is capable of providing reasonable
security if you properly configure it. and intelligently choose what
options you turn on/off.

-Fedl
(why am I always missing the good flamewars?)