[svlug] security

Rafael Skodlar raffi at kset.com
Thu Oct 15 13:42:57 PDT 1998
Previous message: [svlug] security
Next message: [svlug] security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 15 Oct 1998, Marc MERLIN wrote:

> On 15 Oct 1998 10:50:39 -0700, Rafael Skodlar <raffi at kset.com> wrote:
> >complain/opinion from a user. It's obvious that whoever comes out with the
> >distribution that has a default PATH with the dot in the middle is nuts. I
> 
> Only for users, not for root.
> I think it's a pretty good compromise.

Root should NEVER, EVER have a DOT in the PATH!!! Except for those who
play russian rulette.

> 
> >I installed RH 5.x on different systems and find that it fails in most
> >cases if I want to install only a few selected sections of the Linux
> >instead of whole thing.
> 
> Jeez, I don't know what you're doing wrong. Outside of a couple of machines
> with Cyrix CPUs, I've never had an install crash.

Jeez or Jazz. I can prove it any time anywhere. Installfest perhaps?

> 
> >I understand it, OK? Not everybody has access to the latest patches.
> >Besides, how many times have you downloaded 3+ MB of stuff over the modem?
> 
> You're talking about all the fixes, like Xfree. If you just get the security
> fixes, it's not all that big.
> 
> >> Ah? Never seen that myself.
> >
> >Lucky you. You obviously never tried it on a 486 Gateway machine or a
> >laptop.
> 
> I've installed it on laptops. But, I'll take your word for it, I'm sure that
> some exotic hardware may not be happy with linux. However, before blaming
> RH, check if slackware and/or debian install on the same machine.

I can go out and buy a laptop that will work with RH5.0. But that's not
the point. Install script crashes! With some blue lines across the screen
if that helps you understand it better. I've seen this happen to others
aswell, not just on the laptops.

> 
> >> Most security people assume that if  someone has access to a machine through
> >> any  account, it  is more  or  less equivalent  to that  person having  root
> >> access.
> >
> >"assume" that's what's bothering! Never assume one or the other except
> >that things are insecure. Don't assume that the first time user knows
> 
> Which is exactly what I was saying.
> 

That's why you want the machine to be more secure not less.

> >> Not on my machine. Once again, it's because your were too lazy to select
> >> what you wanted to install.
> >
> >Man you are stuborn. I did not select PCMCIA scripts on my system for
> 
> You too :-)

You are not the only one to learn it. You should listen to older guys some
time :-)

> 
> >example, yet it installed it on my desktop system. It's not a matter of
> 
> 1) that's a mute point, PCMCIA is part of the system functionality, whether
>    you specific hardware supports it or not (some desktop systems do)

How about USB? Why is it not included? Just as important.

> 2) pcmcia is _not_ a deamon that provides services over the internet and can
>    be exploited.
> 
> >laziness, it's a matter of time one needs to spend to cleanup the mess. 
> 
> No. Just don't install that "mess" in the first place.
> 
> >Besides, you can't remember everything at 1:00 in the morning. Regular
> >user doesn't know where to find those things much less what they all mean.
> 
> And this is RH's fault?
> 

Yes, because the system kept crashing from 18:00 till midnight when I
decided to install everything rather than try to figure out what
combination of selected packages will work and finaly got it working.
Somewhat.

> >Ahh, good. Because Slackware has security holes by default, RH has to have
> >them too. Because MS has a product that ends up in a blue screen, we need
> 
> No. Once again, you're distording the truth to your advantage.

I never "distording the truth" to my advantage. I do use it for my
advantage, "distording" no.

> For you, having inetd installed is a security hole, having nfs installed is
> a security hole, etc, etc..

Yes.

> 1) I don't agree with you
> 2) Most Unices (not just linux) are the same, or are worse.

Other Unix is mostly better.

.........
> 
> 
> Ok, I thought you were refering  to the old "GET /etc/passwd" bug. It's been
> a while since the  last bug in tftp was found, but I  agree with you that it
> wouldn't hurt to disable it, just to be on the safe side.
> 

It was a long ASCII string to come to some agreement with me.

> >What about a regular guy or even a software developer who wants to connect
> >to the Internet? Expect him to go hire you to fix BASIC security holes?
> 
> Ok. Then, disable everything to make it secure, and now I ask you:
> Waht about a regular guy or even a software developer who wants to use basic
> unix services that  were all disabled, or so secured  that they're difficult
> to use? Expect him to go hire you to enable everything he needs?
> 
> Look, I'm all for securing systems by default, but I also know that the more
> you do  that, the  more difficult  it is  to use  the system  for beginners.
> Personally, I  don't care much either  way as long as  I can do what  I want
> later.
> 
> >> >Other Unix is not much better in many respects.
> >> 
> >> Names?
> >
> >Next time.
> 
> Ain't that convenient...

AIX, SunExpert Magazine, Sep 1998, page 60. Amen.
http://sun.expert.com/

There is also a PDF file about Linux under Sun Expert News. Page 4 is
worth reading since it gives some stats from companies that follow the
industry and mentions those who ported their software but were "waiting
for something to happen". There are numbers for Linux installations that
are much higer than any I've seen so far, 15million+.

> 
> >If the distributions come configured as a standalone secure (tight) by
> >default, people would take it for granted. When they want to connect
> >somewhere then they would ask a person or a system what it takes to get
> >the right services (daemons) runing.
> 
> You could do that, but I think you'd double the existing traffic in linux.*

Double? How many questions have we got on the breakin issues? Each time we
went over the same thing, check this check that, disable this disable
that.

What's most amazing to me is the fact that breakins happened to the folks
on the list who I consider to be more knowledgable about Linux/Unix than
I! That happened because they did not bother (for whatever reason, time
perhaps, or plain laziness as you put it) to go over things you say
everybody should do. Well not everybody has the time to do it over and
over again. That's why bad guys got in. 

> 
> It's all about tradeoffs.
> 
> I'll end here, though.

Me too.

> 
> Marc
> -- 

   Rafael


--
echo "unsubscribe svlug" | mail majordomo at svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
Previous message: [svlug] security
Next message: [svlug] security
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the svlug mailing list