Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Red Hat to Release Enhanced-Security Linux

timothy posted more than 10 years ago | from the compound-modifier dept.

Red Hat Software 326

Klatoo55 writes "According to an article by Techweb, Red Hat will release Red Hat Enterprise Linux 4.0, which includes support for Security-Enhanced Linux, in 2005. Red Hat has been running this system with a published IP address asking for hackers to try to break the security. The last version was defeated within 45 seconds, but this new version (apparently to be the policy for the next Fedora) has yet to be cracked."

cancel ×

326 comments

Sorry! There are no comments related to the filter you selected.

GNAA Enhanced Anus Security (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8214459)

GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.

Are you GAY [klerck.org] ?
Are you a NIGGER [tux.org] ?
Are you a GAY NIGGER [gay-sex-access.com] ?

If you answered "Yes" to any of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!

Why not? It's quick and easy - only 3 simple steps!

First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE [imdb.com] (Click Here [idge.net] to download the ~280MB MPEG off of BitTorrent)

Second, you need to succeed in posting a GNAA "first post" on slashdot.org [slashdot.org] , a popular "news for trolls" website

Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!

If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.easynews.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here [nero-online.org] .

If you have mod points and would like to support GNAA, please moderate this post up.

This post brought to you by Penisbird [nero-online.org] , a proud member of the GNAA

CLICK HERE TO SIGN THE PETITION TO BRING BACK GOATSE.CX! [petitiononline.com]

________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_ GAY_NIGGER_ASSOCIATION_OF_AMERICA_|
| ____!4yaa#l___________________________________ |
| ______-"!^____________________________________ |
` _______________________________________________'

Re:GNAA Enhanced Anus Security (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8214512)

Someone has put a lot of time into this... pathetic and intruiging at the same time.

Re:GNAA Enhanced Anus Security (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8214532)

do you have something against gay negroes? I hope thats not bigotry I detect in your post

Re:GNAA Enhanced Anus Security (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8214603)

Not really. just copy & paste & update another GNAA post...

first post. (-1, Offtopic)

dremspider (562073) | more than 10 years ago | (#8214460)

Does sound like a good idea though

Big Deal (-1, Insightful)

Piethon (748147) | more than 10 years ago | (#8214473)

Big deal - even if the core OS is completely secure, there are going to be programs and scripts with vulnerabilitys.

Re:Big Deal (0)

Anonymous Coward | more than 10 years ago | (#8214507)

Looks like your spellchecker got rooted.

Re:Big Deal (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8214620)

God that was funny! Man, you are so cool! I'm serious, I want to be just like you when I grow up, a spell nazi on Slashdot. Man, I bet you get all the girls!

eureka. (2, Funny)

xeeno (313431) | more than 10 years ago | (#8214629)

1. Release OS for years filled with security holes
2. Stop releasing OS for free
3. Sell security based OS
4. ?????
5. Profit!

Re:Big Deal (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8214516)

... And if the OS is secure, those vulnerable programs can't do any more damage than they should be allowed to do, even if they do get compromised.

It is a Big Deal (3, Informative)

llouver (579855) | more than 10 years ago | (#8214534)

Yes. But exploiting a bug in a particular application or service is only going to expose the data that application or service uses. In a SE Linux system, you don't gain root or system privileges by breaking an application or service since NONE of them run as root.

Re:Big Deal (1)

Homology (639438) | more than 10 years ago | (#8214543)

Big deal - even if the core OS is completely secure, there are going to be programs and scripts with vulnerabilitys.

Indeed, this is why we have projects like Hardened Gentoo [gentoo.org] where SELinux is just one part of it. Other technologies that attempt to make buffer overflows (among other things) very difficult/impossible to exploit is not included in SELinux, nor in Redhat.

OMFG YUO == GOT SERVED!!! (-1)

Anonymous Coward | more than 10 years ago | (#8214549)

Re:Big Deal (2, Informative)

Tim C (15259) | more than 10 years ago | (#8214565)

Don't forget the users - most, if not all, of the fastest spreading Windows trojans and viruses of recent years have relied entirely on user-intervention.

As long as a user can run arbitrary code that opens up network ports and sends data to arbitrary destinations, it will be difficult to completely secure a machine. Per-application egress filtering would go a long way to securing this, but I'm not aware of anything available for Linux that allows you to do so.

Re:Big Deal (1)

Muggins the Mad (27719) | more than 10 years ago | (#8214644)


As long as a user can run arbitrary code that opens up network ports and sends data to arbitrary destinations, it will be difficult to completely secure a machine. Per-application egress filtering would go a long way to securing this, but I'm not aware of anything available for Linux that allows you to do so.


Um, SE Linux :)

At least it goes a way towards this. Combined with some good iptables rules (possibly dynamic?) you could get a pretty good system.

Executed mail attachments not having access to address book or network, for example.

- Colin

Re:Big Deal (4, Insightful)

burns210 (572621) | more than 10 years ago | (#8214589)

yes, but a good core OS will limit the damage any 1 program can do... A common argument about windows is that it itself is secure, however the programs that run it(drivers/applications/etc) are insecure. In actuallity, even with a buggy/trojan program being run, a good OS would not allow it to reak havic on much of the system, let alone crash the entire computer.

Re:Big Deal (1)

Haeleth (414428) | more than 10 years ago | (#8214686)

even with a buggy/trojan program being run, a good OS would not allow it to reak havic on much of the system, let alone crash the entire computer.

Ultimately there is no defense against a privileged idiot typing "cd /; sudo rm -rf *".

Oh, sure, if the user doesn't have any administrative privileges, that sort of thing basically prevented, but most of the Windows installations that catch all these email trojans are home setups, not big corporations. I would seriously like to hear someone tell me how a home Linux installation can be made idiot-proof, short of some clueful person giving up a lot of their spare time to do administrative stuff.

All it would take to bring down Fred "The guy in Walmart said Linux was cheaper" would be *one* fake email saying "you have a DEADLY VIRUS; to remove it open a Konsole and type the following [evil] commands, entering your root password when prompted"...

Re:Big Deal (0)

Anonymous Coward | more than 10 years ago | (#8214710)

No defense? What if the concept of root is eliminated?

Security Enhanced Sure! But... (5, Funny)

Anonymous Coward | more than 10 years ago | (#8214476)

I think we can bring that baby down without a hack.

What say you slashdot?

Re:Security Enhanced Sure! But... (1)

n0dez (657944) | more than 10 years ago | (#8214638)

I think that everything could be hacked... the point is how long does it gonna take you?

Re:Security Enhanced Sure! But... (2, Insightful)

t0ny (590331) | more than 10 years ago | (#8214661)

But Red Hat's point is that somebody can bring down Slashdot, with a hack. And, were it a race, I dont think /. could bring them down in 45 seconds.

I wonder how the last system was defeated? (5, Funny)

Snake_Plisken (666881) | more than 10 years ago | (#8214477)

45 seconds? Sounds liek someone yanked the power cord out of the boxen to do it that fast...

Re:I wonder how the last system was defeated? (3, Funny)

Sexy Bern (596779) | more than 10 years ago | (#8214515)

But is that 45 seconds on the battlefield or 45 seconds at medium-to-long-range targets?

Re:I wonder how the last system was defeated? (0, Flamebait)

t0ny (590331) | more than 10 years ago | (#8214615)

Wow, if you listen to the Slashdot crowd, Linux 1.0 is nearly impenetrable, security-wise.

Too bad they cant mod down that "45 second" article; Im sure they really would like to suppress it.

Re:I wonder how the last system was defeated? (0)

Anonymous Coward | more than 10 years ago | (#8214673)

I notice you're posting logged in.

Doesn't that make you, by definition part of the "Slashdot crowd"?

45 Seconds?!?! (3, Insightful)

Gunfighter (1944) | more than 10 years ago | (#8214480)

Holy smokes!! If it only took 45 seconds to crack it the last time around, I'd venture to say they overlooked a MAJOR security hole. This one has yet to be cracked; but if they overlooked a major one before, what are the chances that there are several obscure security vulnerabilites they overlooked this time?

Re:45 Seconds?!?! (3, Informative)

c_oflynn (649487) | more than 10 years ago | (#8214499)

Its not so bad - the earlier version wasn't designed to be as secure, and this was 1999!! From the article:

Tiemann outlined an instance of how SE Linux is more secure than traditional Linux in his EclipseCon keynote Wednesday. He said that in a security test on a previous version of Red Hat Linux in 1999, it took only 45 seconds for a hacker to break into the system. A recent test on a version of Linux running SE Linux as its security policy still has yet to be cracked, even though the IP address of the system was published to would-be hackers and the root had no IP address.

Re:45 Seconds?!?! (2, Insightful)

Knuckles (8964) | more than 10 years ago | (#8214508)

the root had no IP address

What's that supposed to mean?

Re:45 Seconds?!?! (4, Funny)

DAldredge (2353) | more than 10 years ago | (#8214571)

It means the people that write tech articles are, for the most part, idiots.

Re:45 Seconds?!?! (2, Funny)

daemonslayer (550393) | more than 10 years ago | (#8214555)

wasn't designed to be as secure

It sounds like it was designed to be insecure...

Re:45 Seconds?!?! (0)

Anonymous Coward | more than 10 years ago | (#8214506)

On the contrary, it was probably an extremely obscure hack, known by few. Which is why it was still a vulnerability.

Re:45 Seconds?!?! (1, Insightful)

Anonymous Coward | more than 10 years ago | (#8214511)

The 45-second-hack was for the last version of Red Hat Enterprise Linux, not the last version of Security Enhanced Linux. The contrast is to show how much SELinux improves things.

Of course, that doesn't rule out a bad implementation in RedHat's SELinux-based project.

Re:45 Seconds?!?! (1)

Gunfighter (1944) | more than 10 years ago | (#8214522)

If they try hard enough, I'm sure they'll be able to find some way to screw it up. I think I'll stick with something a little more minimalist. [gentoo.org]

Re:45 Seconds?!?! (1)

petabyte (238821) | more than 10 years ago | (#8214597)

Gentoo has their own experimental install routine to use SELinux as well. The link is here [gentoo.org] .

Re:45 Seconds?!?! (0)

Anonymous Coward | more than 10 years ago | (#8214538)

Last time I checked, 45 seconds at 1 GHz gives your hacking script 45 billion cycles to crack the system. Looks plentiful to me.

Re:45 Seconds?!?! (1)

Gunfighter (1944) | more than 10 years ago | (#8214579)

I was thinking more along the lines of via remote access w/ a portscanner and whatnot. I guess I'm just used to seeing Nessus [nessus.org] run and taking friggin forever to scan a host over my cable modem (no... I don't break into the systems, I just scan them and sell the results ;).

Re:45 Seconds?!?! (4, Funny)

mackman (19286) | more than 10 years ago | (#8214636)

I think this time they changed the default root password to something better than "root".

Re:45 Seconds?!?! (1)

Bobdoer (727516) | more than 10 years ago | (#8214709)

It wasn't some obscure bug. Root's password was 7331.

Security? (3, Interesting)

azatht (740027) | more than 10 years ago | (#8214485)

Has they created something by their own to enhance the security, or is it just that they have included some restricitons to the users/administrators? (ie. have they dissabled the root-account?)

Re:Security? (5, Funny)

Sexy Bern (596779) | more than 10 years ago | (#8214500)

ifconfig eth0 down

I'm Done With Redhat (1, Interesting)

tealover (187148) | more than 10 years ago | (#8214490)

I wiped it off my dual-boot machine (now single boot). They do some good things but they seem lost recently. They're scrambling to come up with a successful business model. Unfortunately, I can't wait for them to figure it out. I need a stable linux platform that I can count on.

I hope things work out for them because to a large extent, their success (or lack) will be tied to the Open Source movement.

Re:I'm Done With Redhat (1)

bcs_metacon.ca (656767) | more than 10 years ago | (#8214519)

Do more reasearch into Fedora Core before dismissing it as "unstable".

Re:I'm Done With Redhat (2, Informative)

cubicledrone (681598) | more than 10 years ago | (#8214556)

Stock price is up 400% in 12 months. Is that successful enough?

Invulnerable to MyDoom type virii? (5, Interesting)

Raster Burn (213891) | more than 10 years ago | (#8214492)

The article implies that SE Linux would be more secure that Windows, especially in light of the MyDoom virus. But doesn't the MyDoom virus depend on a dope sysadmin clicking on a binary attachment to spread?

So how does SE Linux protect systems against trojans?

Re:Invulnerable to MyDoom type virii? (4, Funny)

BoomerSooner (308737) | more than 10 years ago | (#8214531)

By not running your mail client as root.

Re:Invulnerable to MyDoom type virii? (3, Insightful)

shird (566377) | more than 10 years ago | (#8214581)

You should already be running your mail client under windows without admin privs, which achieves the same thing. However:

I suppose non-root users can't send e-mail? Afterall, that is a major component of what the mydoom virus does.

And I suppose non-root users can't listen on a port for incomming instructions to execute? Or run a proxy server on a non-privleged port?

And will it stop a trojan which asks 'Root password needed to continue:' and then proceeds to use it to screw your system? If users are dumb enough to run arbritrary code, they will be more than happy to supply a root password.

Linux is no more secure than windows against trojans.

Re:Invulnerable to MyDoom type virii? (0)

Anonymous Coward | more than 10 years ago | (#8214628)

Linux is no more secure than windows against trojans.

I have yet to see a Linux mail client which will execute an attachment if you click on it.

Usually one would have to save the attachment to disk, set the executable flag, and then run the attachment.

Re:Invulnerable to MyDoom type virii? (1)

shird (566377) | more than 10 years ago | (#8214665)

And I suppose the Linux kernel is whats stopping that from happening?

I could write a mail client under windows which doesn't execute attachments when you click on them, and requires you to save the file to disk and rename it to execute, therefore windows is also secure!

I could write a client under Linux which sets the execute bit and runs attachments when you click on them, therefore Linux is insecure!

bah.

Re:Invulnerable to MyDoom type virii? (5, Insightful)

pavera (320634) | more than 10 years ago | (#8214659)

Wrong,
By simply clicking on an attachment in any mail client in linux it will not execute... The user would have to save the attachment to disk, chmod it +x, and then execute it, and then, if the trojan wanted to write anything to disk outside of the users home directory, it would have to ask for the root password, and then if the user was that stupid, ok they really deserve to be infected with a virus. However, in a decently admined system the users don't know the root password, they don't need it ever, and they should never be installing programs. The amount of work it would take to install the trojan on linux would be a deterrent, it is also the deterrent to wide scale adoption by home users of linux.. because installing programs is just as difficult as installing trojans.

Re:Invulnerable to MyDoom type virii? (1)

shird (566377) | more than 10 years ago | (#8214681)

The same can be done with a securely coded mail client and correct user account under windows.

But for ease of use, and pressure to have admin privs, you have this insecure situation under Windows. The same will be true of Linux if it were to go mainstream.

Re:Invulnerable to MyDoom type virii? (2, Insightful)

Pharmboy (216950) | more than 10 years ago | (#8214667)

Linux is no more secure than windows against trojans

I would respectfully disagree. Linux is no more secure than windows against "social engineering", but there is a difference in a trojan run as a user and a trojan run as root. One of the primary problems with Windows is the difficulty in running some software that should be "user" software without root access.

I got my first SunOS shell many years ago, and I am pretty sure most trojans, if they had existed, might have wiped out my files, but not wiped the entire system, since I certainly did not have root access. Even at an office network, it is possible to have a Linux setup without anyone having root access, but this is more difficult with Windows, and impossible with networks that work with mixed OS's (like mine) with win9x/2k/linux.

I agree that Linux is not bullet-proof, but there are some real differences that would limit the rampant spread of a worm/trojan as long as the whole world doesn't change to Lindows or other nix varients that run as root default.

Re:Invulnerable to MyDoom type virii? (1)

shird (566377) | more than 10 years ago | (#8214724)

Actually the problem is probably worse under Linux than windows. Because of setuid programs, there are a lot more local root exploits under Linux than windows (which has very few, due to no concept of setuid root).

Therefore, a Linux virus could 'get root' under a normal user account a hell of a lot easier than one could under Windows. With root access, a virus then becomes a lot more serious.

Re:Invulnerable to MyDoom type virii? (0)

Anonymous Coward | more than 10 years ago | (#8214599)

By not running your mail client as root.
root has nothing to do with it. If a user executes the MyDoom binary (which means they had to first unzip it, then find the unzipped file, then double-click on it), they will become infected, regardless of whether or not they're running on an Administrator account. The executable will run, it will begin looking for email addresses, it will commence mailing out out copies of itself, etc. It will still be able to write a "Run this program when I login" registry key.

All of this is just as plausible on a Linux machine. The problem for worm writers is that the process takes an extra step. They'd have to gunzip - not a huge task, if they're using a GUI - then chmod, then run. The second step is the barrier to malware. On unix operating systems, files don't execute based upon their names. Files must be specifically and intentionally chmod'd in order to be executable.

This is why MyDoom would not succeed on Linux.

Re:Invulnerable to MyDoom type virii? (1)

shird (566377) | more than 10 years ago | (#8214617)

So it won't succeed because it is a pain in the arse to run anything under Linux?

What your saying is basically Linux is too difficult to use for a user to spread viruses under. I can see this changing over time however.

Re:Invulnerable to MyDoom type virii? (1)

utahjazz (177190) | more than 10 years ago | (#8214577)

doesn't the MyDoom virus depend on a dope sysadmin clicking on a binary attachment to spread?

Alas, to gain usability, distros targeting mass market desktop users are starting to make them log in as root by default (Lindows).

If Linux is ever as popular as windows, I'll bet most people will be running as root. And, they'll not hesitate to download zips and run them. Come to think of it, we can't even tell them "Don't click on .exe files"

--
We got zips in the wire. Drop all you got on my position.

Re:Invulnerable to MyDoom type virii? (3, Insightful)

Tim C (15259) | more than 10 years ago | (#8214688)

But on a single-user system, what difference does it really make?

Whether I run as root/Administrator or not, all the important stuff on my machine (my files) are read/write/delete my user anyway. Running as an unprivileged user means two things:

a) I can't interfere with other users' files
b) I can't interfere with system files

If I'm the only user, and my system files are all backed up on the nice, shiny install media, what is the difference, apart from perhaps having to reinstall?

Nope, MYdoom counts on stupid users... (1, Funny)

Anonymous Coward | more than 10 years ago | (#8214586)

Nope, MYdoom counts on stupid users... yet another reason to license users.

Windows Beats Linux! (5, Funny)

Anonymous Coward | more than 10 years ago | (#8214493)

The last version was defeated within 45 seconds
That's nothing. I put a stock Windows box on the internet, didn't even bother publishing the IP, and it was cracked within 10 seconds! Take that, open-source advocates, Windows has finally beat you at something!

Linux Defeated in Benchmarks (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8214495)

After hearing how much the improvements in Linux performance was, I decided to do some benchmarks.

Here are the Machines I used.
AMD Opeteron 3400+ with UltraSCSI320 Hard disks
XServe G5
386SX with MFM hard disks

Copying a 17 Mebibyte file from one hard drive to another.
SCO UnixWare : 7.3 Seconds
Windows Longhorn Server beta : 7.5 Seconds.
Windows Server 2003 : 9 Seconds
Mac OS X Server 2004 : 9.5 Seconds
Windows 2000 Server : 11 Seconds
Linux 2.7 Server : 16 Seconds.
Linux 2.6 Server : 18 Seconds
MSDOS on a 386DX : 20 Seconds.
Linux 2.4 Server : 30 Seconds
Linux 2.2 Server : 48 Seconds
Linux 2.0 Server : 75 Seconds.

As you can See, Linux dosent come CLOSE to beating enterprise systems at high performance servers. EVEN Msdos from a 386SX smokes Linux!
Don't mod me down unless you can justify these speeds. It is pretty obvious by now why SCO is suing Linux, because they are stealing their code to gain speed. And yes, DMA WAS ENABLED.

Re:Linux Defeated in Benchmarks (1, Funny)

Anonymous Coward | more than 10 years ago | (#8214558)

In case anyone is wondering, he used the highly reliable Anonymous Coward Benchmarking Suite (TM).

Re:Linux Defeated in Benchmarks (0)

Anonymous Coward | more than 10 years ago | (#8214566)

modded "interesting"...not only did people miss the joke, but they actually thought those numbers were anywhere near the truth?

Re:Linux Defeated in Benchmarks (0)

Anonymous Coward | more than 10 years ago | (#8214575)

OH MY GOD, all these years, I've been totally blind!!

Thank you for showing me the light. You've changed my life.

Now.. where are those msdos floppies?

YHBT YHL (0)

Anonymous Coward | more than 10 years ago | (#8214619)

HAND!

Re:Linux Defeated in Benchmarks (0)

Anonymous Coward | more than 10 years ago | (#8214578)

What the hell did you pull these number out of?

Copying a 50MB file (not in cache) from one partition to another (on the same harddisk) takes 4.66 seconds, including sync. P-III 500 with regular parallel ATA disk, Linux 2.4.20.

So maybe I've been trolled. Just don't take these guys numbers for anything but shit.

YHBT YHL HAND (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8214594)

lol @ lunix zealots

YHBT YOU FUCKING OPEN SOURCE PEDOPHILE! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8214598)

SUCK TINY COCK!

Re:Linux Defeated in Benchmarks (0)

Anonymous Coward | more than 10 years ago | (#8214592)

Hate to feed the trolls but 2.7 isn't even out yet. Making up kernel releases makes you look stupid. On top of that, your numbers are fucking insane.

yhbt yhl hand (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8214607)

the stupidity of slashbots never ceases to amaze me

Re:yhbt yhl hand (0)

Anonymous Coward | more than 10 years ago | (#8214703)

I know you're a fucking troll. I'm criticizing your technique. This is not a 'victory' for you.

Re:Linux Defeated in Benchmarks (1)

DrLZRDMN (728996) | more than 10 years ago | (#8214658)

wtf is a 'Mebibyte'

YHBT (0)

Anonymous Coward | more than 10 years ago | (#8214683)

YHL HAND

Re:Linux Defeated in Benchmarks (0)

Anonymous Coward | more than 10 years ago | (#8214697)

mebibyte=1024 kibibytes=1024^2 bytes
megabyte=1000 kilobytes=1000^2 bytes

A good thing... (3, Insightful)

danielrm26 (567852) | more than 10 years ago | (#8214501)

It's nice to see that SEL is being adopted by someone like Red Hat. I think this development will get more distros and organizations interested in using it, which will benefit the project greatly.

Like it or not, Red Hat sets the tone in many ways, and in this case it's a good thing.

Get a Tech Writer Already (3, Insightful)

llouver (579855) | more than 10 years ago | (#8214502)

"... the root had no IP address" presumably should have read "... root had no password" and the jump from the NSA developed SE Linux to the Eclipse IDE escapes me.

DOS is faster than Linux! (Sc.ore 5, Informative) (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8214510)

After hearing how much the improvements in Linux performance was, I decided to do some benchmarks.

Here are the Machines I used
AMD Opeteron 3400+ with UltraSCSI320 Hard disks
XServe G5
386SX with MFM hard disks

Copying a 17 Mebibyte file from one hard drive to another.
SCO UnixWare : 7.3 Seconds
Windows Longhorn Server beta : 7.5 Seconds.
Windows Server 2003 : 9 Seconds
Mac OS X Server 2004 : 9.5 Seconds
Windows 2000 Server : 11 Seconds
Linux 2.7 Server : 16 Seconds.
Linux 2.6 Server : 18 Seconds
MSDOS on a 386DX : 20 Seconds.
Linux 2.4 Server : 30 Seconds
Linux 2.2 Server : 48 Seconds
Linux 2.0 Server : 75 Seconds.

As you can See, Linux dosent come CLOSE to beating enterprise systems at high performance servers. EVEN Msdos from a 386SX smokes Linux!
Don't mod me down unless you can justify these speeds. It is pretty obvious by now why SCO is suing Linux, because they are stealing their code to gain speed. And yes, DMA WAS ENABLED.

Parent = Moron (-1, Troll)

LordKazan (558383) | more than 10 years ago | (#8214550)

Anyone that uses "Mebibyte" notation deserves instant moderation down i've used linux to move 1gb files, it performs MUCH better than windows.

Parent, YHBT YHL HAND (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8214563)

you fell for a troll, dumbass

which is most secure (1)

treat (84622) | more than 10 years ago | (#8214523)

What is the most secure Linux setup? SELinux, grsecurity or something else? Should I ignore these and put every daemon in a separate UserModeLinux jail?

By secure I mean mitigating the likelyhood that any bug will allow an attacker to obtain root, remotely or locally.

Ideally so secure that when properly (and strictly) configured no hole discovered in the past few years would have been exploitable.

Re:which is most secure (0)

Anonymous Coward | more than 10 years ago | (#8214554)

systrace.org is easy and efficient

Re:which is most secure (1)

Gunfighter (1944) | more than 10 years ago | (#8214559)

I've been toying with the UML jail concept recently, and I must say it looks great on paper. However, the setup and administration can be a real PITA.

This is the right question (4, Interesting)

Animats (122034) | more than 10 years ago | (#8214632)

With mandatory security with levels and compartments going mainstream, we need apps designed to use it properly.

Mail handling is a good example. Each receive process should be running in a separate jail, with a net connection to the incoming port, a limited connection to the mail database, and no privilege to open files or network connections. Then it doesn't matter what happens in the receive process.

The software that passes data across security boundaries has to be carefully written and audited. But it doesn't have to do much. Software has to be divided into two kinds - big, untrusted programs that do the work, and little, carefully audited security-critical programs that do very little.

The job of the OS is to keep each program in its own security box.

Mail, DNS, and web servers need to be broken up in this way. Now that Red Hat is going with SE Linux, it's time to do this. Get busy.

Re:which is most secure (1)

Bobdoer (727516) | more than 10 years ago | (#8214725)

"What is the most secure Linux setup?" The one with no networking drivers? :)

smart policy (3, Insightful)

son_of_asdf (598521) | more than 10 years ago | (#8214533)

This, IMHO, is smart policy. What better way to find the holes in a distro than to co-opt the people most capable of exploiting them? Even at worst this will give the folks at RH a good idea of what exploits are going to be most frequently used against thier systems.

Of course, the security of any system is dependant upon the admin and how he/she configures the software used on the system, but this at least will help to establish a baseline from which to work, and provides full disclosure of any inherent system vulnerabilities to the admins that work with the system.

...as an added bonus, this /. post will see how the system might stand up to a major bandwidth spike....

Re:smart policy (1)

Herrieman (167396) | more than 10 years ago | (#8214627)

There is no reason why the security of a system should be dependant on an admin.

Software/Hardware should be secure by default, it should take a highly skilled admin to mess up the security of a system.

Re:smart policy (1)

wathead (730323) | more than 10 years ago | (#8214695)

I didnt read the article but I have read about SE Linux the module that was built by the NSA to run on a redhat 7.3 box. I was reading an article somewhere (I dont remember where) a while back. There was a guy who posted the IP address and the root password all he asked was not to DDos him. I dont think anyone ever got in the box.
I read an article in a magizine about a simialer setup and the people trying to break the system locally where also given root.
They did not believe that they where in fact root and it had to be proved to them.
This may be a different form of SE linux.

45 Seconds? (5, Insightful)

Eberlin (570874) | more than 10 years ago | (#8214536)

What happened? Someone ran a brute force root login with the pwlib dictionary or something? Maybe a quick ride with Nessus? Or was it a social engineer who managed to call someone and get the root password?

As has been echoed before time and again -- security is a process, not a product. Of course you'll have more secure products, but it's still up to a competent admin to make sure things are kept secure. Even then, you better have good backups because that one disgruntled guy who works in the mailroom on a machine already inside the firewall just might have an extra ace up his sleeve.

Re:45 Seconds? (0)

Anonymous Coward | more than 10 years ago | (#8214715)

I imagine it went like this:
1) Install RedHat from CD
2) Do not install any patches
3) Join IRC channel to discuss how Linux is more secure than Windows.

Technically Gutsy Move (2, Insightful)

deepbluegeek (703424) | more than 10 years ago | (#8214560)

I dig engineering/development efforts that come out and dare people to break their 'stuff'. It takes cahoneys to do such a thing and pretty talented developers to back up such a stance. More power to em!

damnit (-1, Offtopic)

OffTheLip (636691) | more than 10 years ago | (#8214573)

I hate when that happens

Other ways to improve Linux security? (5, Insightful)

Debian Troll's Best (678194) | more than 10 years ago | (#8214587)

RedHat's 'trial by fire' approach for their new security policy is a good one, and is something all distro makers should try. Nothing beats having your default security config probed and tested by the world's best crackers in a real life environment. But network security is only one piece of the puzzle. As the Windows community has demonstrated time and time again, trojans and spyware can be just as dangerous from a security point of view as network exploits. And while the problem may not be as severe on Linux due to the separation of the root user from the average day-to-day account, havoc may still be wreaked by a regular user downloading a package and installing it, and thus inadvertently installing a trojan.

It seems to me that our package managers (used by the majority of Linux users...not everyone compiles from source) are vulnerable to some type of subversion. They are not controlled or vetted by a central authority. There is no 'certificate' which can be attached to them to guarantee their purity. What the Linux community needs, I feel, is a type of central signing authority or cryptographically sealed DRM-compatible package management system. This could eliminate potential threats associated with trojaned Linux packages. Imagine a secure apt-get. Packages would be enveloped in a tough layer of crypt() security. They would be digitally signed by the Debian project manager, or even Ian Murdock for highly critical packages like the kernel. And it would be impossible to accidently load and install a trojan. Apt-get could even be modified to 'phone home' and let the Debian administrators know which packages where the most popular (and make security updating easier!) packages were being installed and to automatically e-mail users with news of package updates and 'special offers' from co-sponsors. I look forward to the community's response!

Insightful? (0)

Anonymous Coward | more than 10 years ago | (#8214656)

Many distributions already use signing for packages. And the stuff about DRM and spyware is blatant trolling; try to be a little more subtle next time.

All PR and no substance. . . .again (4, Insightful)

Anonymous Coward | more than 10 years ago | (#8214621)

So now Red Hat is using the tired and cliche approach of getting PR by hosting a cracker contest. You would think that they'd have learned from previous examples [attrition.org] . Just because a system hasn't been defeated in a cracker contest doesn't mean its secure. Security is a process not something you can shrinkwrap. The proper way to demonstrate the security of a product is through repeated, thorough code audits like some other software distributions [openbsd.org] are doing. Things must be looking dire indeed for Redhat if they're starting to make announcements of products like this ala another company we know and love [microsoft.com] .

Re:All PR and no substance. . . .again (2, Informative)

iggymanz (596061) | more than 10 years ago | (#8214707)

code audits are just one piece of security testing.....there's plenty of flaws that have been found in all major OS trying to break systems just by throwing different things at it. Being an OpenBSD fan, I see problem found where ICMPv6 on a listened tcp port can crash the 3.4 as version as found on distribution CD. Cracking contests are great for PR, true, but also yet another way to test security. Only relying on code audits is the same as trying to design aircraft by textbook only without ever doing wind tunnel test.

45 seconds in 1999 (1)

miffo.swe (547642) | more than 10 years ago | (#8214651)

That is five years ago just so you know.

So.... (0)

Anonymous Coward | more than 10 years ago | (#8214653)

Anyone know the IP in question?

Out of the Box? (0)

bluewee (677282) | more than 10 years ago | (#8214678)

Was this out of the box security, or after they put up a few firewalls, routers and setup some iptables?

red switch (1, Funny)

Anonymous Coward | more than 10 years ago | (#8214692)

Red Hat discovered that the vunerability in the first version was tied to a switch on the back of the computer. The new version has this in the 'off' position by default.

now or later? (2, Interesting)

crabpeople (720852) | more than 10 years ago | (#8214704)

if you actually did find a hole, wouldnt it be lot more profitable to wait till the os is deployed worldwide and then exploit it?

i didnt RTFA but the blurb said nothing of compensation if someone did crack it. IF there is a bounty, im sure its not as much as one would make cracking a bank a year from now.

Terrible name (1)

PacoTaco (577292) | more than 10 years ago | (#8214723)

Would you like Security-Enhanced or our regular Shitty-Security product?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?