Rhandeev Singh wrote: > I don't think any of us in the SLP group (correct me if I'm wrong) are > qualified security people yet. Probably not even collectively. Security > is a big area. To cover it sufficiently well requires competence in > multiple areas: > > (1) System administration caveats and gotchas > (2) Linux kernel and C library operation and exploits > (3) Poor programming practices > (4) Well-known as well as recent exploits in popular daemons + apps > (5) Safer alternatives to popular insecure daemons + proper operation > (6) Architectural security problems among popular Internet protocols > (7) Various means of securing popular Internet protocols + > interoperability problems > (8) Probably more... > > The above are only the general categories. The details can become quite > unmanageable; e.g. knowing the Java sand-box model, Java exploits in > various Java VMs + fixes, UNIX shell script operation, scanf vs fgets in C > programming, setuid programs, limitations of chroot environments, physical > security, public key cryptographic methods, TLS vs SASL vs IPsec, etc etc > etc... > > I think you understand now why we're not jumping and saying "yes, yes, > we'll do this!" just yet. > > Rhan. Configure the linux server to boot from a floppy disk, boot it up and disable the floppy and CDROM drive. Disconnect the machine from the network, put it into a safe, take away the keyboard, mouse and monitor and you should be ok....:) Just kidding! I think Rhandeev is absolutely right. Security is a big area to cover and it takes both experience and knowledge to get things right. You don't get them by reading all those security books on the shelves, going to Rootshell, COAST, 2600, Bugtraq and other black/white hats websites. It may be easier to secure your own server than to write a whitepaper on how to secure linux. eddie
