Re: Linux security

To: "C.J.LAWSON" <C.J.Lawson@Cranfield.ac.uk>
Cc: randyh@getaway.net, debian-user@lists.debian.org
Subject: Re: Linux security
From: George Bonser <grep@shorelink.com>
Date: Sun, 30 Aug 1998 16:52:20 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.3.96.980830163838.29311H-100000@calvin.shorelink.com>
Reply-to: grep@oriole.sbay.org
In-reply-to: <[🔎] Pine.OSF.3.95.980831002724.24874B-100000@dublin.pegasus.cranfield.ac.uk>

On Mon, 31 Aug 1998, C.J.LAWSON wrote:

> > I was having a discussion with my ISP about Linux.  He said he uses
> > Windows NT because it is much more secure than Linux.

Huh? NT is not only not secure, it can not be MADE secure.

  He stated that
> > since the source code was available that it was very unsecure.

Did he explain how availability of source code makes something unsecure?
The only way one could think this is to assume that there are security
holes and that these can be found by looking at the source. If there
simply are not any holes, all the looking at the source in the world can
not help you.  The protocols are published standards, if a hole is
discovered in the source and exploited, it is  repaird much more quickly
with open source.  Also, there is another assumption here that the only
people looking at the code for security holes are bad guys. In fact, that
is not true. Most security hazards are found by "good guys" that are
TRYING to find exploitable holes.

This is exactly why unix variants are so secure. The source has been
passed around college campuses and just about any imaginable attack has
been made on it.

>  He
> > mentioned something about attaining root access by downloading 
> > /etc/passwd and de-crypting the passwords.  He bases this on a source called
> > cicia.org. 

1. It is impossible to decrypt the passwords, you can ENCRYPT other words
and see if they result in the same hashed result. 

2. Anyone on the internet that keeps passwords in /etc/passwd is stupid
and deserves to be attacked. THis is EXACTLY the reason /etc/shadow was
invented.

>  He said it reflected several cases of insecurity regarding
> > Linux. 

Just because a security alert is published does not mean that a flaw was
actually exploited to gain access to a system. All it means is that
someone LOOKING AT THE SOURCE CODE discovered a flaw, generated a fix, and
issued a security alert. In most cases, these alerts are issued by people
that have discovered flaws in the source code BEFORE the hole was
exploited by anyone.  The fact that more alerts are issued for Linux means
that holes are being discovered and repaired at a much faster rate than
for NT. 

In other cases, the flaws are with application programs that span multiple
operating systems as was the case with U of W pop3 and imap software
some time back.

George Bonser

The Linux "We're never going out of business" sale at an FTP site near you!

Reply to:

References:
- Re: Linux security
  - From: "C.J.LAWSON" <C.J.Lawson@Cranfield.ac.uk>

Prev by Date: Fatal server error - cannot open mouse
Next by Date: EXT2 under Win95 - FSDEXT2
Previous by thread: Re: Linux security
Next by thread: Re: Linux security
Index(es):
- Date
- Thread