[NTLUG:Discuss] Security Article - Dallas Morning News

Richard Cobbe cobbe at directlink.net
Tue Feb 22 13:54:55 CST 2000


B. DEGRASSE wrote on 2-22-2000:

> Thought it interesting that the anecdotal user in news front page story
> "Faster Internet connections put users at risk, experts say" used "the
> free operating system Linux, which through its advanced features can
> provide a good platform for a hacker".
> 
> http://dallasnews.com/national/34762_DSL22.html
> 
> What special features are they talking about other than root.

Basically, the same flexibility and controllability that brought many of us
to Linux in the first place.

More specifically, I suspect they're referring to the fact that there's
nothing special about being at the console of a Linux machine -- almost
anything you can do at the console can also be done remotely.  This makes a
cracker's job much easier.

> I just finished reading the cover story on Linux in the Security magizine
> and they missed it if the hole is too big.

To Unix people, this is a feature, not a bug.  I tend to agree.

Quite honestly, and don't take this the wrong way, I suspect that the
situation described by the Morning News is really a case of PEBKAC.  Since
Linux does allow greater power and flexibility, there's a correspondingly
greater degree of responsibility that goes with it -- you have to read up
on (and STAY up on) security issues, shut down services you're not using,
use ipchains/ipfwadm to block unwanted traffic, and so forth.  Part of the
reason Linux is so susceptible to these sorts of attacks is that casual or
new users haven't done this.  Either they don't know they need to, or they
just haven't gotten around to it.  Regardless, the result is a buncha
powerful but wide-open systems.

All that being said, the distributions could certainly do some things to
help this problem:

* Let's start by *not* automatically enabling every network service known
  to man after an install!  At one point, RH *ASKED* which services to
  start on boot, but IIRC this had disappeared again by 6.1.

* Explain to the user the basic stuff: what the various services are, how
  to enable and disable them, and so forth.  A warning dialog during setup
  is almost necessary here, I think -- something along the lines of "Hey,
  you need to worry about security now.  For more details, see ...."

* RedHat's control-panel is actually a pretty good start as far as
  manipulating boot-time services is concerned.  Lot of stuff to go there,
  though: starting or stopping a service immediately would be nice, among
  other things.

> Bruce

> <!DOCTYPE HTML PUBLIC "-//W3C//DTD W3 HTML//EN">

Not all of us are using HTML-capable mailers....

Richard




More information about the Discuss mailing list