l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
April 21: Google Glass
Next Installfest:
TBD
Latest News:
Mar. 18: Google Glass at LUGOD's April meeting
Page last updated:
2002 Jun 11 14:38

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] Who opened the floodgates?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] Who opened the floodgates?



On Mon, 10 Jun 2002, Peter Jay Salzman wrote:

> begin Ryan <ryan@mother.com> 
> > On Monday 10 June 2002 08:16 pm, Rusty Minden wrote:
> > > Actually one had a concern about getting LINUX cracked into :-) A sysadmin
> > > told him it was not secure Peter set him on the right track though. I was
> > > surprised to see the three RSVPs myself, but also very happy. We have 6
> > > RSVPs so far. Please let people know about the InstallFest and if you can
> > > come out please do so. I may RSVP myself if I can not figure out NVIDIA
> > > with Woody soon :-(
> > 
> > A bunch of insecure unneeded services will get any OS h4x0r3d, but that's 
> > partly what the installfests are for, to make sure people aren't going to 
> > mess things up and let the script kiddies run rampant on an insecure default 
> > install. cough*redhat*cough

[...]

> turning your services off is trivial and takes a second to do, so it's
> stupid not to turn off unecessary services.  but just because you don't
> doesn't mean the sky is falling...  for the home system, the default
> redhat installation is good enough for modems.  prolly good enough for
> broadband connection systems too.

The issue is the definition of "necessary".  Every exposed service should
be monitored at regular intervals... the more services exposed, the bigger
your job.  You should monitor security notices for those services, and
update them reasonably soon if problems are announced.

Most people DO NOT NEED ANY EXPOSED SERVICES.  They don't want to monitor
security announcements, and really don't use the services much.  The
problem is they might think it is cool to expose services, but until they
read the installation documentation, configure the services themselves,
and see a few sample exploits, they won't understand the consequences of
their decisions.  Even then it is iffy, but at least they will have read
the documentation. :)

My preference is to disable every service until I have had a chance to
verify that the version is current and implement appropriate configuration
settings, and doing that for an installee irresponsibly leaves it up to
them to monitor a service they may not be familiar with.  Thus, I try to
guage how savvy they are, and unless they squawk I disable as much as
possible and tell them to go read up on the service.

As for the relative security of modem connections versus fulltime
connections... that is a close relative of security through obscurity,
which the existence of automated exploits shows to be of little value.  
If a script kiddie scans you and identifies your services profile, s/he
can record that and come back later with a script if an actual weakness is
discovered in that combination of services.  Even if you are on a modem
bank, your new friend can scan that bank later to find you.  Whether they
do or not will depend on how they feel about either you personally or the
challenge you represent, but it is still basically obscurity that you are
relying on if you think a modem is more safe than a fulltime connection.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------

_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.