Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Red Hat & Dell Host Open Source Security Summit

CowboyNeal posted about 12 years ago | from the footing-the-bill dept.

Security 79

wishus writes "Red Hat and Dell said they would co-host an Open Source Security Summit. 'Join Red Hat, Dell and experts in enterprise security from around the world for a summit on securing infrastructures with open source software.'"

cancel ×

79 comments

Sorry! There are no comments related to the filter you selected.

oh yeah (-1, Offtopic)

Hall and Oates (575706) | about 12 years ago | (#4386307)

I love being number 1.

Red hat security experts (-1, Flamebait)

Anonymous Coward | about 12 years ago | (#4386316)

what an oxymoron !

Slashdot me (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#4386318)

So.. (1, Interesting)

Anonymous Coward | about 12 years ago | (#4386319)

when can I get an easy-to-use-and-configure, secure network file system ?

Re:So.. (2)

Angry White Guy (521337) | about 12 years ago | (#4386391)

When people stop hacking computers. Until then, it's choose one or the other.

Re:So.. (0)

Anonymous Coward | about 12 years ago | (#4386889)

I was thinking atleast something that _tries_ to be secure. Possibly with optional data encryption.
NFS is a joke, so is Intermezzo and Coda in this area :(

Re:So.. (2)

WNight (23683) | about 12 years ago | (#4387148)

I've heard that AFS, Andrew File System, is remote and fairly secure, but it also looks a little bizarre.

I want something like Reiserfs (ie, full unix privs and soon ACLs) that just happens to work wonderfully over a network and is protected by SSH.

But, the solution might not be in the filesystem. Perhaps we shouldn't waste time securing that when it's just the network that needs securing. NFS is perfectly secure on a two-computer network, so maybe we need to use VPNs (with SSH-level security) and simply run NFS over them).

I'm looking into this same thing right now. I want to store all my files on a server machine and pull them from any of the client machines, without letting anyone else on the switch sniff them. SMB is a bit more secure, with a password and all, but it sends the data in plaintext, and doesn't properly support Linux permissions, let alone ACLs. (That I know of.)

Re:So.. (2)

Angry White Guy (521337) | about 12 years ago | (#4387222)

NFS is very secure, if you have the time to fine-tune it. Unfortunately it is not as intuitive as it could be.
The same goes for the Linux security model. Great strides have been made in making the file permissions very secure, but the main problem goes beyond the basics of file permissions, group ownership, etc. Real masters at the file permissions have an almost zen-like control over their systems, bending the security model to the point just before it breaks, to achieve maximum security over a file system. The trick is not knowing which permissions allow or deny access to a file, but rather how they interact with each other.

Re:So.. (0)

Anonymous Coward | about 12 years ago | (#4387444)

Are you FREAKING CRAZY ? I need an office filesystem. People have root access at their machines. Access is determined by sending a freaking integer(the uid) over the wire.
Only between trusted hosts, and on a physically secure network is NFS secure. Well, its mostly the RPC's fault. looking forward to the day RPC-GSS can be used with NFS. (some guys woring on that + an NFSv4 implementation already).

Re:So.. (0)

Anonymous Coward | about 12 years ago | (#4389323)

Are you FREAKING STUPID? run NFS over SSH. This might prove to be difficult for your average Linux tard though.

Re:So.. (1)

ecalkin (468811) | about 12 years ago | (#4386407)

it's call NetWare.

Re:So.. (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#4386452)

Hear Hear!!!

Netware rulez!

Re:So.. (1)

vlag (552656) | about 12 years ago | (#4387077)

I see: security by obscurity. Great Plan!!!

Re:So.. (0, Troll)

yatest5 (455123) | about 12 years ago | (#4386421)

RedHat has made great strides in the user-friendly install... At least making easy for Windows users to "try out its features".

The problem is, so much of the strong reasons for switching to Linux (aka security) are hard to realize in a user friendly sort of way.

For instance, getting OpenSSH up and running to integrate a Windows box to be able to ftp from/to the secure Linux install takes alot of work, and fishing around. It's an immediate turn-off.

Then there's wireless networking. Oh by the way, you have to become a kernel compile afficianado to get these wireless drivers workers.

If we're talking RedHat/ here and security in the same breath, then why not focus on a user friendly install for security. Including a side howto on how to possibly go get Putty up and running. And how you're going to need to generate your keys with ssh-keygen type 2 rsa and then load them into puttygen which will convert them. And oh by the way, the converted private key will also work under SecureNetTerm. Don't forget something like this for your private keys in you $home/.ssh dir:

chmod 600 id_rsa
cp id_rsa authorized_keys2

It wasn't that easy, but it should be, and it could be.

'nuff said

Re:So.. (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#4386454)

Mod this guy down. He's just copied a previous post.

Re:So.. (0)

Anonymous Coward | about 12 years ago | (#4386592)

Moderators, are you stupid? The parent post is a copy of post #4386360

This guy's a troll trying to get karma points.

Re:So.. (0)

Anonymous Coward | about 12 years ago | (#4389355)

what kind of fucking tard are you? why 600 it? what are you going to need write perms on that for?
stupid linux kiddies

Re:So.. (0)

Anonymous Coward | about 12 years ago | (#4386614)

WWW.novell.com

in fact Novell 4.11 is still rock solid and does more than any Microsoft product ever has and ever will.

too bad it doesnt meet your easy to configure part... as Novell is a holy-crap pain in the ass..

Re:So.. (0)

Anonymous Coward | about 12 years ago | (#4387434)

> does more than any Microsoft product ever has and ever will.

Except, sell.

a good thing... (4, Insightful)

netphilter (549954) | about 12 years ago | (#4386323)

I think this is a very good thing, considering that to most people the idea that something designed in such an open manner is secure seems preposterous. I may even drag my Controller along in an effort to help to open her eyes to the fact that we don't have to pay big money for good security.

Dude! (5, Funny)

DarkHelmet (120004) | about 12 years ago | (#4386332)

And I thought the ads that IBM had for Linux were interesting enough.

Imagine ads with "Steven" saying, "Dude, you're compiling a kernel."

*shudder*

Re:Dude! (3, Funny)

mark_lybarger (199098) | about 12 years ago | (#4386350)

Imagine ads with "Steven" saying, "Dude, you're getting a dell, wanna roll your own? If not, I hear the Red Hat guy rolls a good one. :D"

Re:Dude! (4, Funny)

red_dragon (1761) | about 12 years ago | (#4386402)

I fear that they might want to change the kernel error messages first.

Dude, you're getting a kernel panic!

Re:Dude! (0)

Anonymous Coward | about 12 years ago | (#4386459)

You know those TV commercials with "Steven" for Dell, and those cow commercials for Gateway? Here's what I'd like to see:

The commercial opens with a distant establishing shot of a verdant country pasture bathed in early morning mists. Cut to a close-up of Steven's smiling face. We see that Steven is animated, his tongue darting out of his mouth and his eyes rolling up into his head. Cut to a medium shot. We see that Steven is fucking the Gateway cow in the ass. The cow turns and looks at the camera and says "moo". Behind a tree we see Teddy, that Gateway ponytail poofster voyeuristically wanking off. Just as Steven is about to cum he blurts out to the cow "Dude, you're getting a Dell!", followed by an explosive orgasm.

Puts a new meaning to the phrase "farmer in the Dell".

Timing... (3, Interesting)

ackthpt (218170) | about 12 years ago | (#4386334)

And there's this nice bit being splashed about on Yahoo News [yahoo.com] this morning.

Re:Timing... (4, Informative)

Sn4xx0r (613157) | about 12 years ago | (#4386362)

And here is the list [sans.org] of vulnerabilities that they are talking about.

misleading title (0)

Anonymous Coward | about 12 years ago | (#4386335)

it should be "Red Hat and Dell to host Open Source Security Summit"

When I read that title, I thought I would be getting coverage of something already completed.

Re:misleading title (0)

Anonymous Coward | about 12 years ago | (#4386612)

perhaps then you should break the AnonymousCoward mold and actually read the article before posting.

Another dimension (2, Offtopic)

PaulK (85154) | about 12 years ago | (#4386344)

Since the arrest of the author of T0Mkit, (albeit by the British), I am concerned about how this event will be treated by the feds.

Will there be fibbies running around with cameras and notepads?

How can we possibly write code to test/implement security, without looking over our shoulders?

Re:Another dimension (0, Offtopic)

HipShot (152834) | about 12 years ago | (#4386389)

Could someone explain to me how the parent of this is offtopic? Just because you don't like what is said, does not mean it is offtopic.

That being said, consider that a security conference/summit is an ideal place for blackhats to glean information, and for the fibbies to catch them at it.

Re:Another dimension (1)

Winterblink (575267) | about 12 years ago | (#4386597)

Could someone explain to me how the parent of this is offtopic? Just because you don't like what is said, does not mean it is offtopic.

Welcome to Slashdot, man. :)

Re:Another dimension (1)

dusanv (256645) | about 12 years ago | (#4387185)

Like the other guys says: some moderators are high/drunk/dumb. When I see something like that I correct if I have moderator points and if no I try catch it on meta moderation...

Toronto or Montréal would be more practical venues (2)

SgtChaireBourne (457691) | about 12 years ago | (#4392553)

Wouldn't Toronto or Montréal be a better venue?

First of all, you can avoid the mounting insanity at U.S. and disorganization airports. Second, non-U.S. security experts would be able to attend without worrying if the door prize is a matching pair of metal bracelets. Lastly, U.S. security geeks can get some time in some nice cities.

Opensource the Dell Dude? (5, Funny)

Komrade S. (604620) | about 12 years ago | (#4386354)

In this case, I think I'll settle for closed source. Thanks for the thought anyway, Dell.

Re:Opensource the Dell Dude? (0, Offtopic)

chegosaurus (98703) | about 12 years ago | (#4386400)

Dude, you're getting h@X0r3d

User Friendly Security (5, Insightful)

snatchitup (466222) | about 12 years ago | (#4386360)

RedHat has made great strides in the user-friendly install... At least making easy for Windows users to "try out its features".

The problem is, so much of the strong reasons for switching to Linux (aka security) are hard to realize in a user friendly sort of way.

For instance, getting OpenSSH up and running to integrate a Windows box to be able to ftp from/to the secure Linux install takes alot of work, and fishing around. It's an immediate turn-off.

Then there's wireless networking. Oh by the way, you have to become a kernel compile afficianado to get these wireless drivers workers.

If we're talking RedHat/ here and security in the same breath, then why not focus on a user friendly install for security. Including a side howto on how to possibly go get Putty up and running. And how you're going to need to generate your keys with ssh-keygen type 2 rsa and then load them into puttygen which will convert them. And oh by the way, the converted private key will also work under SecureNetTerm. Don't forget something like this for your private keys in you $home/.ssh dir:

chmod 600 id_rsa
cp id_rsa authorized_keys2

It wasn't that easy, but it should be, and it could be.

Re:User Friendly Security (3, Interesting)

netphilter (549954) | about 12 years ago | (#4386425)

I agree that security should be easy, and believe it or not I think that in some ways Microsoft is beginning to do a good job in this arena. Before you flame me hear me out. I'm not claiming that Microsoft OS's are secure, or that they're even as secure as Linux. However, they have found ways to integrate some basic security features in a user-friendly way. For example, the Internet Connection Firewall. Is it a great firewall? No, not at all. However, it does provide basic firewalling services, and it logs. I know that Redhat incorporates ipchains and allows for relatively simple configuration, but ICF just seems a bit more userfriendly. I would, however, like to see someone (I started to but don't have the time) write a perl script that goes through the logs looking for traffic patterns so you can do basic intrusion detection.

Again, in general I think that Microsoft has deployed some simple security tools like ICF, the MBSA, and even Windows Update that Redhat can't really compete with. Even up2date is a little more complicated than most people want to deal with. The RHN is a good service for enterprises, but for Joe User that doesn't want to pay it's just not that great. I have recently converted a family member to Redhat from Win2k, and one of their complaints is their inability to update their PC because "Free service limited due to high load..." Most people don't know what that means and don't care...it discourages them from even updating their computers at all. Overall, I think that Microsoft is winning the user-friendly security tool war, even though their software is not secure.

Re:User Friendly Security (3, Interesting)

back_pages (600753) | about 12 years ago | (#4386651)

How useful is that friendly firewall going to be once every cracker interested in breaking into Windows boxes knows what the failings of it are? That user friendly firewall becomes a user friendly waste of time.

It would be fantastic if their user friendly firewall did all the work rather than part of the work, but the ability to root a box in 5 ways instead of 10 is still the ability to root. The real danger is in convincing the users that the firewall makes them safe and therefore need not be vigilant or suspicious. That creates users who do not patch their software, making the inevitable breach more disasterous.

In fact, your quote, "Microsoft is winning the user-friendly security tool war, even though their software is not secure," is rather telling. They aren't winning anything related to security. They're succeeding in generating revenue through marketing and slogans, which they've always done. The security of their products is not enhanced in any fashion by their user friendly firewall in the long run. If you think it takes a public relations department and TV commercials to win the security tool war, you simply don't have a clue and probably don't want one.

Huuh? (2)

Andy Dodd (701) | about 12 years ago | (#4386509)

Under RedHat 7.3 I plugged in my Orinoco card and it just worked. That's it. Nice and simple. It's a different story if you want to use RF Monitor mode (needed only for utilities like Airsnort and Kismet), but since Kismet and Airsnort are by no means "end-user" tools that doesn't really matter.

What's all that crap you're going through with ssh?

I haven't done a *SINGLE* thing to the SSH config on my desktop 7.3 box and I can SSH into it from work with no problem using TeraTerm. The only config issues I had to deal with were port forwarding on my wireless AP/router, but that had absolutely nothing to do with RedHat.

I don't know how you got Score: 5 - It should be -1 Troll.

Re:Huuh? (2)

snatchitup (466222) | about 12 years ago | (#4386559)

Good for you. It sounds like your IQ is way over mine.

My Linksys Wireless PCI card doesn't work.

I port forwarded my router as well, it was very easy.

Wireless PCI cards? (2)

Andy Dodd (701) | about 12 years ago | (#4386603)

Dude, those are a crapshoot even under Windows.

I tried no less than *two* different PCI WLAN approaches in my desktop. One was a D-Link DWL-520 (Basically identical to Linksys' offering) - 50%+ packet loss under Windows if it even ran at all, 25%+ under Linux. Prism2 based PCI solutions *SUCK* and it's unfair of you to blame that on Linux when it's even more difficult under Windows.

I also tried an Orinoco PCI. Worked flawlessly under Linux with no trouble whatsoever, it NEVER worked under Windows. (98 or 2000, multiple reinstalls of each) It would show 100% signal strength, but never was able to send/receive data.

(I gave up and ran a Cat5 cable downstairs until I found out about the Linksys WET11 a month later)

Re:Huuh? (1)

snatchitup (466222) | about 12 years ago | (#4386713)

The Linksys PCI card works pretty darn well on my box under Win98. Of course, part of that is that the CD rom that came with the card was for Windows and had no linux support.

But apparently, even if the model is new, the chip is fairly common.

In fairness to the topic, I'll take back what I said about wireless. Because, I really wasn't ranting on device support.

In all, I'd have to say it is excellent.

I was ranting on security. If you're new to OpenSSH, it aint easy to use from the install get go, though, sshd is installed and setup sort of.

Re:User Friendly Security (1)

pellaeon (547513) | about 12 years ago | (#4386988)

>For instance, getting OpenSSH up and running to integrate a Windows box to be able to ftp from/to the secure Linux install takes alot of work, and fishing >around.

You mean, apart from doing 'chkconfig --level 345 openssh on' or running 'setup' and then either reboot (*shudder*) or typing 'service sshd start'?

You might want to look at the Getting Started Guide RedHat provides for free on their website - no amount of trying is a substitute for RTFM ;-)

And please don't blame RedHat for possibly poor ssh documentation that's part of one package.

Re:User Friendly Security (1)

moeman (11668) | about 12 years ago | (#4387381)

Then there's wireless networking. Oh by the way, you have to become a kernel compile afficianado to get these wireless drivers workers.

I plopped the Knoppix 3.1 CD in my drive, booted my laptop, and surfed the web on my wireless card. Easy installation of wireless network cards CAN be done, it just usually isn't. (yet)

Re:User Friendly Security (0)

Anonymous Coward | about 12 years ago | (#4390426)

^^^^^^

When I first read that subject, it made me think of Crud Puppie standing guard over my system :)

OJ Hosts Battered Woman's Workshop (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#4386364)


Gates Schedules Randoidian LieSense Seminar

fedell & the fedorites are as joined at the hype (indebted) to wall street of deceit.con, as VA lairy. fud on.

meanwhile, back at REALit, almost everything's gnu now. you're welcome.

Where, Howth Castle and environs? BUTTHEAD. (-1, Flamebait)

Anonymous Coward | about 12 years ago | (#4386401)

Yer a fag.

Attend! Get your Trojans in now! (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#4386381)

Thank God for Open Source! I could never have gotten a backdoor in the NT kernel, but with Linux it's a walk in the park!

And right next to this story... (5, Funny)

gosand (234100) | about 12 years ago | (#4386408)

I went to read this story, and noticed in the Breaking News box right next to it was this story:
Microsoft Issues Windows Security Warning

gotta love it

Re:And right next to this story... (2)

Dalcius (587481) | about 12 years ago | (#4387118)

Even better is when you read the story about Allchin saying [Microsoft source] Disclosure May Endanger U.S. [eweek.com] and there's a big fat Microsoft ad sitting in the middle of the article... that mentions security no less.

Oh, the irony...

Design, Development, Deployment "load marks" (5, Interesting)

NZheretic (23872) | about 12 years ago | (#4386447)

From the Plimsoll Club history [plimsoll.com]
Samuel Plimsoll, M.P.
(1824-1898)

Samuel Plimsoll brought about one of the greatest shipping revolutions ever known by shocking the British nation into making reforms which have saved the lives of countless seamen. By the mid-1800's, the overloading of English ships had become a national problem. Plimsoll took up as a crusade the plan of James Hall to require that vessels bear a load line marking indicating when they were overloaded, hence ensuring the safety of crew and cargo. His violent speeches aroused the House of Commons; his book, Our Seamen, shocked the people at large into clamorous indignation. His book also earned him the hatred of many shipowners who set in train a series of legal battles against Plimsoll. Through this adversity and personal loss, Plimsoll clung doggedly to his facts. He fought to the point of utter exhaustion until finally, in 1876, Parliament was forced to pass the Unseaworthy Ships Bill into law, requiring that vessels bear the load line freeboard marking. It was soon known as the "Plimsoll Mark" and was eventually adopted by all maritime nations of the world.

The risks,issues and solutions for providing a more secure operating and application enviroment have been known for decades. Those who do not already comprehend the issues and are willing to learn, should take some time out to listen to some of the speeches at Dr. Dobbs Journal's Technetcast security archives [ddj.com] , starting with Meeting Future Security Challenges [ddj.com] by Dr. Blaine Burnam, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA)

The "security rules" for Unix based system and application development are well known, although not widely taught. See Secure Programming for Linux and Unix [dwheeler.com] by David Wheeler. Although Microsoft's NT,2000 and XP are not Unix based, a lot of the core above "rules" apply or have direct or indirect equivalents

Because some developers ignore similar above rules, the design and implementation of some applications and servers are just too unsafe to use in the "open ocean" of the internet.


Numerous security experts have railed against Microsoft's lack of security, best summed up by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc who rightly stated ... [counterpane.com]

Honestly, security experts don't pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft's poor products are one of the reasons we're in business. We pick on them because they've done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products' security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products. (Note to Gartner: The vulnerabilities will come, a couple of them a week, for years and years...until people stop looking for them. Waiting six months isn't going to make this OS safer.)

However Microsoft's products are not alone in the presence of vulnerabilities, this is a major issue for Linux/BSD and Unix as well as any other OS and vendor.

In a recent speech Fixing Network Security by Hacking the Business Climate [ddj.com] Bruce Schneier claimed that for change to occur, the software industry must become libel for damages from "unsecure" software, however historically, this has not always been the case, since most businesses can insure against damages and pass the cost along to the consumer.

The Ford Pinto and more recently the Ford Explorer's tires are two examples of public and media pressure being more successful than just threat of lawsuits. Even so, eventually though public pressure the governments around the world have to step in and pass regulations that set up a minimum set of requirements an automobile has to meet to be deemed "road worthy". This includes crash testing as well as the inclusion of safety equipment on all models. The requirement are not constant and change to meet the expectations and demands of the public and lawmakers.

The onus is not only on the automotive industry itself but also on the users. Most countries require that all automobiles undergo regular inspection and maintain an up to date "Warrant of Fitness".

In the same way, if you want a secure IT infrastructure, eventually the software design, implementation and each deployment will have to undergo the same type of regulation and scrutiny.

For paid software distributions, this could mean just a tick list of security features and security tests to the other extreme of requiring the source code to be fully audited for government/secure deployments.

For users, this would require running a program that checks to make sure that all the required software security update/patches have been installed to the other extreme of requiring an audited deployment for government/secure deployments.

Users and vendors should be taking a more active approach, including lobbying government, to
1) set up a minimum set of expectations, in the design and implementation of internet "accessing" software ; and
2) ensure that all deployments are more securely implemented ; and/or
3) remove inherently unsecure products from the marketplace.

IMO the above three are preferable to all software vendors, including Microsoft, than attempts to allow liability lawsuits against vendors for deployments which the software vendors have very little control over.

Dude!! (1)

supun (613105) | about 12 years ago | (#4386502)

You're being rooted!

Kernel compiles don't have to be horror stories (2, Interesting)

PetiePooo (606423) | about 12 years ago | (#4386511)

How many people here remember the older versions of SCO UNIX? It used to be, when you got drivers for an add-in card, you received only the source or a library file and headers. You'd have to recompile the kernel just to get that old NetCom X.25 card working.

Thankfully, they had an interface to automate that. It was a CUI, of course, because few people had the luxury of enough memory to run X11.. (Ack! I sound like my dad.. "I had to walk to school! Up hill; both ways!) But, all you had to do was run a script. Perhaps more than "./configure; make; make install," but not too involved. An entry-level sys-admin could do it. Of course, they had dead-tree instructions to guide them too; something that's missing all to often today.

Some of you may be thinking there's no need to recompile the kernel if you can just use insmod. Have you heard of the module-based rootkits? My hardened system has loadable modules disabled. If I need to compile something, I do it on another system. A little paranoia pays off in this world.

There are many things to do yet that would help people who aren't gurus create secure, hardened Linux installs. I foresee only good things coming from summits like this.

Re:Kernel compiles don't have to be horror stories (0)

Anonymous Coward | about 12 years ago | (#4386558)

Sco Openserver 5.0.5 here, although it does come with X running. It also has the ncurses-look-alike interface. But you don't have to recompile the kernel, you just re-linked it. A recompile would mean that you had source (and would take a lot longer).

Re:Kernel compiles don't have to be horror stories (2, Informative)

PetiePooo (606423) | about 12 years ago | (#4386723)

I stand corrected. Linking is part of the greater compile cycle, but to say that the kernel must be relinked would be more precise.

I think the version I had to work on was in the 3.x range. We were working with some legacy software that only runs on that version, so we were unable to upgrade. It couldn't even be made 2K compliant, but much to the management's chagrin, didn't explode afterall. In fact it's still running like a champ!

Re:Kernel compiles don't have to be horror stories (2)

LinuxHam (52232) | about 12 years ago | (#4386798)

Of course, they had dead-tree instructions to guide them too; something that's missing all to often today.

That's only because people don't print out the docs prior to starting their endeavours. I had a 2-inch binder filled to capacity with separator tabs before I tried my first install. Hell the full RH install guide is there in PDF form on the freely downloadble version, not to mention all the HOWTOs. I appreciate the fact that they include the entire book in the freely downloadable version.

How often do you see around here, "oh, discs 3 & 4 are the source RPMS and disc 5 is the documentation CD, so you really only need discs 1 and 2." Take disc 5 over to staples and have them make up a binder for you with some/all of the docs on the doc CD. Of course, you should give the $30 to RH instead, but still, at least you'll have paper that you can mark up and read when all you get is "No Operating System".

Re:Kernel compiles don't have to be horror stories (2)

Random Walk (252043) | about 12 years ago | (#4387487)

Some of you may be thinking there's no need to recompile the kernel if you can just use insmod. Have you heard of the module-based rootkits? My hardened system has loadable modules disabled. If I need to compile something, I do it on another system. A little paranoia pays off in this world.

This will not help you at all. One can modify the kernel at runtime using /dev/kmem, and you cannot protect against that (for a detailed discussion, see this article [phrack.com] from Phrack 58). There are rootkits out there that use this technique.

Re:Kernel compiles don't have to be horror stories (1)

PetiePooo (606423) | about 12 years ago | (#4390018)

Nice.. Scary stuff.

Fortunately, right in the readme file, he has a patch for mem.c to disable write access to /dev/kmem. It's a game!!!

What is the deal with DELL? (0)

Anonymous Coward | about 12 years ago | (#4386541)

On the one hand they're Microsoft's little bitch and make it hard as hell to buy systems with Windows on them, on the other hand they pull crap like this.

I am confused

Re:What is the deal with DELL? (1)

lovebyte (81275) | about 12 years ago | (#4386664)

It's like IBM. Then want to advertise their geekyness and security consciousness, but it's just the marketing department. Behind the scenes(and you put it in such an elegant way, I can only repeat it), they are just Microsoft's little bitch.

Turn up the logic and turn down the posting (2, Interesting)

Marc2k (221814) | about 12 years ago | (#4386684)

On the one hand they're Microsoft's little bitch and make it hard as hell to buy systems with Windows on them, on the other hand they pull crap like this.

What? Did you mean WITHOUT? If you didn't, then you surely have three hands, because you're talking about three different viewpoints, plus that's just not true. If you did, did you see THIS [slashdot.org] article? Hmm? Didja?

Also, what's this crap about "crap like this"? I dont' think hosting an OS conference is crap.

Re:Turn up the logic and turn down the posting (0)

Anonymous Coward | about 12 years ago | (#4389028)

SLUTT SUX. KILL SLUTT.

I mean it.
I mean it.
I mean it.

Interesting (2)

j_kenpo (571930) | about 12 years ago | (#4386699)

Well its about time... the two most insecure products in their class, Red Hat being the most insecure of Linux distros, and Dell for shipping the most default configured Win2k Servers, seek help in their security... For Red Hat I have this advice, dont, by default, start so many damned sevices with default configurations (sendmail, RPC, ect). And Dell, dont ship standard configured servers to no tallent admins, and kill that annoying Steven kid.. All and all this is a good thing, unless mass rioting breaks out nothing bad can come from a security conference. Im not sure how much different from other security conferences this one will be. One thing did occur to me though, didnt Dell stop shipping Linux on their servers??

Re:Interesting (0)

Anonymous Coward | about 12 years ago | (#4386823)

Why not say to both of them:

DO NOT START ANY SERVICES REMOTELY AVAILABLE AT ALL in default Configuration?

There is absolutely no need to do so in Windows nor in Linux. If, and only if a user needs a service or daemon to be started and open, he has to activate it explicitly after installation. This is the only way to get remote security at its basics.

Re:Interesting (4, Interesting)

pellaeon (547513) | about 12 years ago | (#4386926)

You (and my co-responder) haven't run RedHat for a while haven't you? By default, since RH7.1, NO services are started!

Get your facts straight before flaming please. Red Hat is doing a good job, progressively being more 'secure by default' since about RH 6.1 (took them a while though ;-)

Re:Interesting (3, Informative)

j_kenpo (571930) | about 12 years ago | (#4387126)

Excuse me, before you run your mouth, maybe you should get your facts straight. Ive run Red Hat since 4.2 as a matter of fact. I just did a fresh install of 8, and it had the mentioned applications, plus a few extras, start up by default. I had to MANUALLY disable those items from each runlevel init... Same goes for the box I upgraded, it added services that were previously disabled. And has been that way in every realease of RedHat that Ive run. This has been the case using the RedHat Installer AND using APT-RPM for doing the upgrades and installations. Now it may not be that way using the type of installation choices other than Custom, but since I do a custom install everytime I couldnt tell you...

Re:Interesting (2, Informative)

pellaeon (547513) | about 12 years ago | (#4387201)

Well, I use custom installs exclusively too, and at least RH7.1/2 didn't enable any service by default. I haven't done any new installs using RH8 or 7.3 (just upgraded), but I find it very hard to believe that they would regress like that.

I'll be able to check soon though, since I'm going to install 8 on the ~100 computers I admin. You're right about pre-7.1 installs, I don't dispute their poor security record at all.

Re:Interesting (2)

j_kenpo (571930) | about 12 years ago | (#4387767)

Actually, this brings up a good question... why wouldnt the two be so different? Are the 100 systems going to be fresh installs, or are they upgrades... If you have the spare time, upgrade a few and fresh install a few.. Id be interested to see the results.. Thats kind of odd, I know specifically that the installs Ive done and the upgrades Ive done, Ive had to go back and disable unwanted startup processes. This was the case with both my desktop system that got a fresh install, and my IDS sensor, which I had to back and restore backup configuration files to maintain and IPless setup, plus disable the startup processes. An interesting discrepency...

Re:Interesting (1)

pellaeon (547513) | about 12 years ago | (#4390537)

That would indeed be interesting...perhaps I'll take some time. Mostly though, I tend to do fresh installs (using kickstart, that isn't a chore at all).

IIRC, an upgrade (at least the ones I do :) just preserves settings as far as services go.

I recently installed a server in the following way: installed off the LAN with RH7.2 with the absolute minimum I could get away with, excepting only openssh-server (no client even). This took some 258MB only. Then I took some time installing apt on these machines (using the enabled ssh service, of course) and upgraded them to RH8 (I did this off a custom-built apt repository with rpms leaked from an ftp site as RH8 wasn't out yet :)

The only services open now are openssh and postfix (since it's going to be a mail gateway), both of which I had to enable. Two open tcp ports, no open udp ports, according to netstat.

So that would qualify as 'secure by default' in this set of services at least. As to others...who knows? Perhaps you run some services that are enabled by default that I don't run? (I guess X enables port 6000 by default, and I run that too, on the desktops at least, so that might be considered 'unsecure by default' perhaps.)

Re:Interesting (2)

j_kenpo (571930) | about 12 years ago | (#4404987)

Actually, interestingly enough... there was an article on OSnews where a guy mentioned this exact issue with Red Hat 8.0...

http://www.osnews.com/story.php?news_id=1883

Dell ships over 10-20% of its servers with Linux (1)

lerhaupt (231905) | about 12 years ago | (#4386972)

www.dell.com/linux

Re:Dell ships over 10-20% of its servers with Linu (2)

j_kenpo (571930) | about 12 years ago | (#4387141)

OK, Id read an article a while back saying that Dell was to discontinue shipping Linux on its servers, its good to see that isnt the case.

Enterprise security? (4, Funny)

voicebox (516987) | about 12 years ago | (#4387225)

and experts in enterprise security

Does that mean a couple of red-shirts will be there?

Worf (1)

Free Bird (160885) | about 12 years ago | (#4389014)

No, it means Worf will be there...

WARNING: PetsWarehouse is no longer Slashdotted! (-1, Offtopic)

Anonymous Coward | about 12 years ago | (#4387300)

Sorry for the offtopic post, but this is important.

See this story [slashdot.org] from yesterday for more details. Pets Warehouse [petswarehouse.com] has recovered from the Slashdot Effect and is back up [petswarehouse.com] . Click the link [petswarehouse.com] , click the link [petswarehouse.com] , click the link [petswarehouse.com] ! Don't let Robert Novak [mailto] , Slashdot enemy-of-the-month, earn one more dollar from his website [petswarehouse.com] !!!

Also, e-mail [mailto] them [mailto] and tell them what you think! Call them at 1-800-991-3299 from a payphone: they [petswarehouse.com] 'll have to pay for the 1-800 call *and* for the payphone usage!

Show them [petswarehouse.com] the POWER of Slashdot!!!!

West Coast? (1)

perrin5 (38802) | about 12 years ago | (#4387482)

So when are they going to send one west of the Rockies?

I mean really, some of us only have so much money in our travel budgets...

Is this a joke? (0)

Anonymous Coward | about 12 years ago | (#4389275)

Linux and security are two things that do NOT go together.
Linux is the Windows of the unix world.

If Steven (The Dell Kid) Shows Up! (0)

Anonymous Coward | about 12 years ago | (#4391810)

Sounds great! But if that Steven (The Dell Kid) shows his face at the conference I think he should be Severely beaten to a pulp. Severely beaten to a pulp. Severely beaten to a pulp. Severely beaten to a pulp. Severely beaten to a pulp. Severely beaten to a pulp. Severely beaten to a pulp. Severely beaten to a pulp. Severely beaten to a pulp. Severely beaten to a pulp.

Last Post! (1)

alpg (613466) | about 12 years ago | (#4479596)

In America today ... we have Woody Allen, whose humor has become so
sophisticated that nobody gets it any more except Mia Farrow. All those who
think Mia Farrow should go back to making movies where the devil gets her
pregnant and Woody Allen should go back to dressing up as a human sperm,
please raise your hands. Thank you.
-- Dave Barry, "Why Humor is Funny"

- this post brought to you by the Automated Last Post Generator...
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?