[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: Linux Security



samir agrawal proclaimed:
> Security by obscurity is hardly a way to go about building a robust and
> secure system. 

Very true.  For those of you interested in such stuff I highly recommend
http://www.oreilly.com/catalog/puis/noframes.html  There is lots in that
book about the ineffectiveness of security through obscurity.

> as for the fact that a malicious person may modify the sources, the
> first thing is that these changes will never makeit into the main
> source tree of an operating system like linux, where each patch is
> reviewed and then added to the main tree by Linus himself. So if you
> get your source from the main tree, or atleast authnticate the fact
> that you are getting it from somebody who got from the main tree, well
> I seeno problem.

It is not as if commerical unices are naturally more secure.  Take Solaris,
for instance.  Solaris does not come with many of the popular GNU stuff
(perl, bash, gcc, readline etc.)  So almost every Solaris admin I know of
first installs solaris and installs their favorite GNU tools on top.  The
important thing with installing freely available software is to (a)
Download from a site that you trust.  You trust Solaris because you trust
Sun.  Would you trust a copy of something labelled as 'Solaris' if you buy
it off someone on the street?  (b) Verify (using PGP, MD5 etc.) that the
sources / binary that you downloaded have not been messed with.  If you
follows these steps, your system is as secure as any other commercial unix.

> another thing is, an open source structure allows for audits to be
> puttogether like the Linux Security Project, in which programmer are
> going through and each and every line of kernel and application source
> code to eliminate basic mistakes like buffer overflowsand so on.
> Efforts like this are simply not possible in a non-opensource
> development format.

Also, a commercial company with a closed way of developing software can
never put its software through all kinds of (performance and security)
testing.  With open source, the software goes through much more rigorous
testing because anyone can download, audit and run your software.

Thaths
- -- 
Jim Hacker: Opposition is about asking awkward questions.
Sir Humphrey: And government is about not answering them.
Jim Hacker: Well, you answered all mine anyway.
Sir Humphrey; I'm glad you thought so, Minister.
Sudhakar C13n http://people.netscape.com/thaths/ Lead Indentured Slave
- --------------------------------------------------------------------
For more information on Linux in India visit http://www.linux-india.org/
Linux India is NOT a forum for Microsoft/India/Pakistan/US/UK bashing.
Flame baits will not be tolerated.  If you can appreciate satire read
http://www.templetons.com/brad/emily.html

------------------------------