[2020] in linux-security and linux-alert archive
[linux-security] Re: RedHat 5.X Security Book
daemon@ATHENA.MIT.EDU (Joseph S D Yao)
Thu Jul 30 22:44:04 1998
From: Joseph S D Yao <jsdy@gwyn.tux.org>
To: scott@sonic.net (Scott Doty)
Date: Wed, 29 Jul 1998 15:12:24 -0400 (EDT)
Cc: linux-security@redhat.com
In-Reply-To: <19980712040659.08960@sonic.net> from "Scott Doty" at Jul 12, 98 04:06:59 am
Reply-To: jsdy@tux.org
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
[Still catching up after weeks away ...]
Scott Doty proclaimed:
> On Fri, Jul 10, 1998 at 07:38:43AM -0300, Grant Taylor wrote:
> [regarding <seifried@seifried.org>'s book]
>
> >> The only thing I can see coming out of a "checklist" security setup
> >> is a false sense of security.
>
> IMHO, this is incorrect. A "checklist", or tutorial, would help
> new users mitigate risks -- and the resulting improved security is
> real, not imagined.
I would strongly suggest that the checklist point out that it is helping
people eliminate old risks, but that (a) it doesn't cover any security
fixes found after [give date of last revision], and (b) the better the
administrator understands his or her system, the better he or she can
understand its security needs.
I'm sure that's more or less obvious here; but I think it needs to be
said.
> [1] As exploit information propagates through the
> grapevine, more and more people may potentially attack your system,
> which increases the risk of compromise. This seems to be the
> discrete case of a general security principal, where risk can be
> expressed as a function of time.
...
> If someone has heard of a discussion of "Security through
> obscurity" as a function of time, I'd really appreciate a
> pointer. Thanks.
I'd imagine that the risk would remain constant - an UNKNOWN constant,
but different for each obscured thing - until someone turns over the
right rock. After that, the risk would follow the same curve as above.
It would increase until the benefit [to the cracker] of knowing the hack
outweigh the costs. In other words, when too few systems have the risk
to make it worth knowing. At that point, the system's risk actually
DEcreases. E.g.: how many people remember the program and string used
to crack DEC PDP-11 Sixth Edition Unix, and make it give you a root
shell? [RHETORICAL QUESTION. Well, maybe not. How many do remember
them? I've forgotten the string; but I could make one up pretty
quickly.]
Joe Yao jsdy@tux.org - Joseph S. D. Yao
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null