Rhandeev Singh wrote:
> I don't think any of us in the SLP group (correct me if I'm wrong) are
> qualified security people yet. Probably not even collectively. Security
> is a big area. To cover it sufficiently well requires competence in
> multiple areas:
I hope I will soon be. I am working with network security
in my workplace and just yesterday, I was doing some
black box testing with ISDN drivers with VPN. :) Anyway,
I will be looking into FreeSWAN pretty soon.
> (1) System administration caveats and gotchas
> (2) Linux kernel and C library operation and exploits
> (3) Poor programming practices
For 2 and 3, it is practically impossible to track. How the
hell are you going to make sure the developers do not program
in such a way that you can have buffer overflow? Given that
C has such a flexible way of expressing algorithms, that is
absolutely difficult.
> (4) Well-known as well as recent exploits in popular daemons + apps
> (5) Safer alternatives to popular insecure daemons + proper operation
> (6) Architectural security problems among popular Internet protocols
> (7) Various means of securing popular Internet protocols +
> interoperability problems
> (8) Probably more...
Yes, things like a certificate servers, how to make sure that these
servers are what they claim they are. Lots of things, lots of issue
to consider.
>
>
> The above are only the general categories. The details can become quite
> unmanageable; e.g. knowing the Java sand-box model, Java exploits in
> various Java VMs + fixes, UNIX shell script operation, scanf vs fgets in C
> programming, setuid programs, limitations of chroot environments, physical
> security, public key cryptographic methods, TLS vs SASL vs IPsec, etc etc
> etc...
>
> I think you understand now why we're not jumping and saying "yes, yes,
> we'll do this!" just yet.
>
> Rhan.
>
> On Sat, 26 Jun 1999, Moonshi Mohsenruddin wrote:
>
> > Basically, setting-up the basics security, hardening it for specific
> > servers, like FTP, WWW, SAMBA, etc... etc and I think you guys should know
> > better...
> >
> > --Moonshi
> >
> >
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ng
> > Kai Hoe Raymond
> > Sent: Wednesday, June 23, 1999 10:43 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [SLP] [Fwd: Call for Papers-SANS 1999 Workshop On Securing
> > Linux]
> >
> >
> > Moonshi Mohsenruddin wrote:
> >
> > > I am interested in Security of OSes, particularly on Linux but can we get
> > a
> > > pool of guys to collate the information of securing Linux and get some
> > good
> > > Linux Systems Security Administrators to assist us?
> >
> > What aspects do you want to know?
> >
> > >
> > >
> > > BTW, Lim Fung your name is very familiar... :)
> > >
> > > --Moonshi
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, June 15, 1999 9:44 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: [SLP] [Fwd: Call for Papers-SANS 1999 Workshop On Securing
> > > Linux]
> > >
> > > Anyone interested? :)
> > >
> > > -------- Original Message --------
> > > Subject: Call for Papers-SANS 1999 Workshop On Securing Linux
> > > Date: Mon, 14 Jun 1999 15:34:53 -0700
> > > From: Laura LeHew <[EMAIL PROTECTED]>
> > > Reply-To: Laura LeHew <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > >
> > > Call for Papers
> > > SANS 1999 Workshop On Securing Linux
> > > December 15-16, 1999
> > > San Francisco
> > >
> > > Deadline June 28, 1999
> > >
> > > Note: Best proposal will get a free trip to San Francisco to present their
> > > paper at the conference
> > >
> > > Conference Objective
> > > Topics
> > > Who Should Submit a Proposal
> > > How to Submit a Proposal
> > > Questions
> > > Program Sponsors
> > >
> > > LINUX is winning! Where other new operating systems failed, LINUX is
> > > gaining converts among users and vendors at an increasing rate, proving
> > > that the
> > > community of computer users can create extraordinarily valuable tools. At
> > > the
> > > same time Linux systems are the targets of a huge number of successful
> > > attacks.
> > >
> > > There is debate over the causes of storm of Linux security incidents, but
> > > whether it is the operating system's immaturity or the carelessness of its
> > > users, continued growth demands that Linux users and the developer
> > > community
> > > meet the security challenges.
> > >
> > > An important initiative was launched at SANS99 in Baltimore. Linux
> > experts
> > > from more than a dozen universities are jointly creating a hardened
> > version
> > > of
> > > Red Hat Linux, in a project named Bastille Linux. They are fixing the
> > > default
> > > configurations and adding security features so the university
> > > administrators
> > > will feel safer distributing Linux to students. Information on the
> > project
> > > may be
> > > found at http://www.bastille-linux.org/ . Every person who attends the
> > > Securing
> > > Linux Workshop will be given a copy for adaptation and/or redistribution.
> > >
> > > There's more that can and is being done to make Linux systems less
> > > vulnerable. If you are one of the people who have developed home-grown
> > > solutions or are one of the developers of a more secure version of Linux,
> > > please submit a proposal for the Securing Linux Workshop.
> > >
> > > If you have solutions (even partial ones) we welcome your input.
> > >
> > > The 1999 SANS San Francisco Network Security Conference is being held
> > > concurrently with the Intrusion Detection & Response Training Conference,
> > > where the nation's top network security and intrusion detection experts,
> > > people like Stephen Northcutt, Gene Schultz, Randy Marchany, Ed Skoudis,
> > > and many more will be teaching in-depth, full-day, intense courses for
> > > security practitioners.
> > >
> > > We hope that you will consider joining the Securing Linux Workshop to
> > > extend
> > > this tradition of quality by submitting a proposal for:
> > >
> > > A paper focused on practical solutions (2-10 pages) along with a
> > > presentation (25 or 50 minutes)
> > >
> > > other types of presentations (panels, demonstrations, mini-tutorials, etc.
> > > -
> > > 15-90 minutes in length)
> > >
> > > Even if you choose not to submit a short paper and presentation, we hope
> > > you
> > > will join us in San Francisco on December 11 - 16, 1999 for the workshops
> > > and
> > > courses that you feel will be helpful in meeting your professional needs.
> > > Course titles and a preliminary schedule will be posted to
> > > http://www.sans.org
> > > around July 15, 1999.
> > >
> > > Topics
> > >
> > > Any topic that you feel would provide immediate pragmatic information on
> > > Linux security to an assortment of researchers, practitioners, and
> > > observers
> > > coming to the workshop is invited. Here are a few topic groups that might
> > > give you ideas, but submissions are by no means confined to these:
> > >
> > > Hardening the Operating System
> > >
> > > Improving Practices and Procedures
> > >
> > > Risks Particular to Linux Systems
> > >
> > > Configuration Errors
> > >
> > > Silly Things Users Do
> > >
> > > Good New Tools
> > >
> > > Bad Tools New or Old
> > >
> > > Automating Installation to Reduce Risks
> > >
> > > Network-Based Intrusion Detection
> > >
> > > Host-Based Intrusion Detection
> > >
> > > Vulnerability Analysis
> > >
> > > Who Should Submit A Proposal and Why Should You
> > >
> > > Anyone who has done useful work in improving the security of Linux systems
> > > is invited to submit a proposal.
> > >
> > > The recognition afforded by being chosen to present some of your work can
> > > be
> > > a marvelous avenue of professional growth and can yield results throughout
> > > many aspects of your career. If you have a solution that you would like
> > to
> > > share, please consider taking the time to write it up and submit a
> > proposal
> > > to SANS. Being selected to be a part of the SANS faculty gets you more
> > > than
> > > just the rare ID&R-Securing Linux polo shirts. It also conveys an
> > > appreciation
> > > of the value you are contributing to the field.
> > >
> > > You don't have to be solving the largest problems in order to have your
> > > proposals accepted. We are looking for a wide variety of proposals and
> > > encourage you to submit one even if you are not sure of its worth.
> > > Besides the distinctive polo shirts, authors also earn substantial
> > > discounts
> > > on conference and tutorial attendance.
> > >
> > > If you are a vendor, please consider joining the SANS evening vendor
> > > presentation
> > > program. Contact [EMAIL PROTECTED] for opportunities to present technical
> > > aspects of your products to SANS participants in a variety of venues.
> > >
> > > How To Submit A Proposal
> > >
> > > Send an email to [EMAIL PROTECTED] with the subject `Securing Linux
> > > Proposal'.
> > >
> > > Submissions will only be accepted in any of the following formats: PDF,
> > > Word '97, PowerPoint '97, ASCII text, or HTML.
> > >
> > > Deadline for submission is June 28, 1999.
> > >
> > > Please include the following items:
> > >
> > > Your Name
> > > Preferred email
> > > Phone
> > > Fax
> > > Employer
> > > Surface mail address
> > >
> > > The title of your proposed presentation
> > > The length (25 minute presentation with 2-5 page paper or an alternative
> > > format).
> > >
> > > At least three paragraphs containing:
> > >
> > > The specific challenges or problems the presentation will help the
> > audience
> > > solve.
> > >
> > > The approach you used including any specific tools you created or used
> > > The evidence you have that proves that your approach works well and can be
> > > used by other people.
> > >
> > > SANS has made great strides in the past few years and is now recognized as
> > > one of the two most useful learning opportunities in the system
> > > administration, networking, and security field. This year, SANS is
> > > introducing policies that will enable us to continue to earn quality
> > > accolades:
> > >
> > > All presentations focus on actual challenges faced by system
> > > administrators,
> > > security professionals, and network managers.
> > >
> > > All presentations provide practical solutions that can be implemented
> > > immediately.
> > >
> > > All daytime presentations are free of vendor bias (except the panels in
> > > which multiple vendors are speaking together and will `correct' one
> > > another).
> > >
> > > Vendors and their representatives are welcome to present in the SANS
> > > evening
> > > program.
> > >
> > > All presenters will be given opportunities to ensure their presentation
> > > skills are the best they can be: through pre-conference training
> > > Programs, coaching-on-request for content and speaking, and/or audio tape
> > > exchange.
> > >
> > > Questions
> > >
> > > Please contact [EMAIL PROTECTED] with questions.
> > >
> > > Program Committee Chairs
> > > Alan Paller, The SANS Institute
> > > Jon Lasser, University of Maryland Baltimore Campus
> >
> > --
> > -------------------------------------------------------------
> > Ng Kai Hoe Raymond Pager : 92279944 ICQ UIN : 4878260
> > Editor, Singapore Linux Portal http://linux.com.sg
> > Email : [EMAIL PROTECTED] / [EMAIL PROTECTED]
> > PGP Public Key : http://members.tripod.com/~ngkaihoe/ngkaihoe.txt
> >
> > 'This has given me the greatest trouble and still does: to realize
> > that what things are called is incomparably more important than what
> > they are.'
> > - Friedrich Wilhelm Nietzsche, "The Gay Science"
> >
> >
> >
> >
--
-------------------------------------------------------------
Ng Kai Hoe Raymond Pager : 92279944 ICQ UIN : 4878260
Editor, Singapore Linux Portal http://linux.com.sg
Email : [EMAIL PROTECTED] / [EMAIL PROTECTED]
PGP Public Key : http://members.tripod.com/~ngkaihoe/ngkaihoe.txt
'This has given me the greatest trouble and still does: to realize
that what things are called is incomparably more important than what
they are.'
- Friedrich Wilhelm Nietzsche, "The Gay Science"
