[1834] in SIPB_Linux_Development
Linux security
daemon@ATHENA.MIT.EDU (Erik Nygren)
Tue Sep 30 15:13:36 1997
To: linux-dev@MIT.EDU, network@MIT.EDU, net-security@MIT.EDU, efoo@MIT.EDU,
fbyte@sub-zero.mit.edu
Date: Tue, 30 Sep 1997 15:12:50 EDT
From: Erik Nygren <nygren@MIT.EDU>
Our current scheme for dealing with security holes, break-ins, and the
notification of users seems to be non-ideal. We aren't able to get
information (and therefore fixes) out to users fast enough to avoid
break-ins and we have problems with users not installing fixes. We
also have a system where it's fairly difficult for some users to not
send their passwords over the net when coming in from non-Athena
machines. When break-ins do occur and people notice them (which is
probably a small percentage of break-ins), the current model seems to
be to tell users to reinstall machines and to send mail to
network-security which doesn't seem to find it worth their time to
trace down the culprit, even when presented with detailed logs (and it
may very well not be worth their time).
So, it seems that we should have a meeting to discuss what can be done
to improve the security of Linux systems and to improve user awareness
about security issues. In addition to the linux-dev team, we should
also try to get some people from network, plus other clueful and
active linux users, to show up.
Do other people feel this would be worthwhile? How about a meeting
this Thursday evening (or would some other time be better for people)?
We can also talk about what needs to be done before we can release
RedHat Linux-Athena 4.2 (on a side-note, would it be useful to have a
linux-beta mailing list that consists of clueful users willing to
try out beta Linux-Athena releases so that they get better tested
before being released?)
Erik
