The comments are inline.

On Friday 18 February 2005 23:19, Tzafrir Cohen wrote:
| Hi
|
| Could anybody give a direct reference to the lecture notes or something
| similar? I have only read the report in the link above
|
| On Fri, Feb 18, 2005 at 05:58:34PM +0200, Alex Behar wrote:
| > Well, it all depends on how he defines security in Linux. RedHat
| > 6.2-secure or Adamantix/Hardened Gentoo-secure?
| > These last two beat Windows-based solutions out of the box any time, and
| > they have a pretty good chance surviving zero-day threats.
|
| This research did not check the level of security. It checked one of its
| parts: response to advisories.
|
| And it specifically checked a certain high-profile linux distribution.
|
| > All that, when Microsoft "advertise" that they are more secure compared
| > to RedHat, because they have less unpatched holes for the same period of
| > time, before releasing a patch. That is a complete joke! We all know
| > Redhat (not Fedora) is junk.
|
| I don't consider RedHat's level of security to be "joke". It certainly
| has sane defaults generally.
|
| > It worked its way down during the years to become the most
| > windows-like distribution out there and it is probably worsened since the
| > last time I checked. Although Fedora do surprise me, in a good way of
| > course, they still have a lot of work to do until they get to the level
| > of Gentoo-hardened or Adamantix - both from a security point of view, and
| > from ease of maintenance.
|
| Please check again. The defaults have become much better than in the
| days of RH62. It will now turn off most unnecessary services, install a
| simple iptables firewall by default etc.

Firewalling and "sane defaults" cannot protect you against zero day attacks, 
just like windows update can't - especially with the current publically 
available techniques. That's where security really matters, defending agains 
real world threats, not some automated publically-known attack by a tool like 
Core Impact, CANVAS or just a script kiddie with an exploit at his disposal.

|
| But this is not the issue here.

Ofcourse it is. There is no secure code and we all know that. There are simply 
too many things that can go wrong, thats why we need to approach the same 
problem from a few different angles in order to better protect ourselves. 
Coder make mistakes, they we are only human. Some make more then others...


|
| > Long story short,
| > the guy who that bold statement belongs to is probably either a corporate
| > insect Powered by Microsoft (tm), or an undercover MCSE.
|
| After so many "independent" researches that Microsoft has funded I tend
| to believe that this is the case here as well. However I'd like to get
| more details about the guy.
 
Maxim Kovgan mentioned (in a mail that arrived only to me, probably forgot to 
CC it) something about Fedora Core being more secure then the older RedHat 
generation. We all know that:) I totally agree with SELinux, its the 
ExecShield I have problems with, especially when there were two methods to 
circumvent it released just in the past month or so. OpenWall or PaX is the 
leading opensource technology for kernel-based code execution prevention and 
buffer overflow protection on x86, RedHat again made the mistake of 
reinventing the wheel.

Maxim also mentioned the painful enterprise topic of installing mission 
critical applications on Linux. I totally disagree with him. Maxim, if I was 
a bank manager or a government such and I had to decide on what to run my 
database, the first OS I'd scratch from my list are Windows, AIX and 
Linux/BSD. Solaris (if database), maybe even Z/OS or OpenVMS - depending on 
the needs of the facility. They have proven themselves over and over again 
through the years - some for security, but most of all - reliability. Such 
applications should simply stay corporately supported in order to keep 
companies calm and have them know someone has their backs - there's no other 
way. IBM now provides Linux support, thats a good start - lets see where that 
goes.

And for the record Maxim, I did an Oracle 9i and an Oracle 10g Database server 
installation of FreeBSD 5. Its not a trivial install, but its nothing the 
average UNIX geek can't accomplish:)


-- 
The difference between theory and practice, is that in theory, 
there is no difference between theory and practice.

Attachment: pgpaSSzbGH8xu.pgp
Description: PGP signature

Reply via email to