[96846] in RedHat Linux List
Re: RedHat bugs???
daemon@ATHENA.MIT.EDU (Mike Bridge)
Thu Oct 29 16:10:15 1998
From: "Mike Bridge" <mike@bridgecanada.com>
To: redhat-list@redhat.com
Date: Thu, 29 Oct 1998 14:05:55 -0700
CC: elawson@lr.net (Ed Lawson)
In-reply-to: <19981029193437.AAA20346@office4.office.new>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
It's not "odd" at all. There are all sorts of networks all over. Not all of
them are run by experts, and lots of them don't realize how easy it is to
break into an unpatched system. I learned this the hard way a couple
months ago. As evidence that the problem isn't isolated, I had a list of
*hundreds* of ip addresses for unpatched RedHat systems (including
what vulnerabilities to try) which were left behind by a cracker running a
scanner.
To say that people should know better is to ignore the problem. The fact
is, Linux is growing rapidly as a cheap, secure alternative in business
and lots of people who haven't had any experience with it are being
asked to run them. Linux is currently getting very positive press for
solidity and security, so why shouldn't it "sound right" that it could to fend
for itself with the millions of other machines visible on the web?
My point is that it should be readily apparent from the very beginning of a
user's relationship with Linux that this isn't the case; all the Linux
distributions are just as vulnerable as Microsoft to bugs (they just get
fixed faster). Given the evidence of widespread lack of knowledge about
this, it should be much more apparent to a newcomer that *although* you
just "installed" the OS, the installation isn't done: the next step is to
replace what they just installed with patches from ftp.redhat.com.
We should never make the assumption that someone should just know
better, especially if we're trying to attract new people to Linux. This is the
kind of condescending attitude that sours potential interest from new
users.
The original writer mentioned that his hacker friend told him that RedHat
distributions are known to be insecure. I strongly support Red Hat and I
know from experience there is a great deal of quality in the distribution.
That's why I don't want to see them acquire a bad reputation.
-Mike
> On Thu, 29 Oct 1998 10:35:11 -0700, Mike Bridge wrote:
>
> >I've recently talked to about 10 or so administrators who were "trying out"
> >Linux on their sites and had their machines broken into by hackers. All
> >of them were using unpatched distributions of RedHat 5.x, and most of
> >them were shocked by the experience and are wiping Linux off and
> >installing NT.
>
> Maybe I'm missing something here, but this sounds odd. These people are putting
> up RH boxes for testing on the Internet in a corporate environment without a firewall or
> other security on their corporate network? They are doing a stock install and not taking
> any steps to select only needed services? They never have cracker attacks otherwise?
> Just does not sound right.
>
> Ed Lawson
>
--
Mike Bridge <mike@bridgecanada.com>
System Administrator
Global Sourcing Network
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.