[1836] in SIPB_Linux_Development
Re: Linux security
daemon@ATHENA.MIT.EDU (Bob Mahoney)
Tue Sep 30 16:58:18 1997
To: Erik Nygren <nygren@MIT.EDU>
Cc: linux-dev@MIT.EDU, network@MIT.EDU, net-security@MIT.EDU, efoo@MIT.EDU,
fbyte@sub-zero.mit.edu
In-Reply-To: Your message of "Tue, 30 Sep 1997 15:12:50 EDT."
<199709301912.PAA17888@zocalo.mit.edu>
Date: Tue, 30 Sep 1997 16:57:56 EDT
From: Bob Mahoney <bobmah@MIT.EDU>
Erik-
> Our current scheme for dealing with security holes, break-ins, and the
> notification of users seems to be non-ideal.
While we all try, this is probably true...
> We aren't able to get
> information (and therefore fixes) out to users fast enough to avoid
> break-ins and we have problems with users not installing fixes. We
> also have a system where it's fairly difficult for some users to not
> send their passwords over the net when coming in from non-Athena
> machines.
Our experience has been that the vast majority of these incidents starts
with a sniffed password. System weaknesses come later. Excepting a
question about NCSA telnet to a linux ktelnetd (being investigated), we do
have kerberized clients for Macs and PCs.
> When break-ins do occur and people notice them (which is
> probably a small percentage of break-ins), the current model seems to
> be to tell users to reinstall machines and to send mail to
> network-security which doesn't seem to find it worth their time to
> trace down the culprit, even when presented with detailed logs (and it
> may very well not be worth their time).
Thanks for the last, at least. We judge it to be not worth our time in
most cases. Getting compromised machines secure again is our focus. Our
opinions and such about that can be found at:
http://web.mit.edu/network/unix_security.html
Comments/suggestions welcome and appreciated.
> So, it seems that we should have a meeting to discuss what can be done
> to improve the security of Linux systems and to improve user awareness
> about security issues. In addition to the linux-dev team, we should
> also try to get some people from network, plus other clueful and
> active linux users, to show up.
>
> Do other people feel this would be worthwhile? How about a meeting
> this Thursday evening (or would some other time be better for people)?
> We can also talk about what needs to be done before we can release
> RedHat Linux-Athena 4.2 (on a side-note, would it be useful to have a
> linux-beta mailing list that consists of clueful users willing to
> try out beta Linux-Athena releases so that they get better tested
> before being released?)
As much as we in the network group are usually still here at night, I'd
prefer a daylight meeting if possible. I'm sure we could get some
reasonable IS representation together for most non-early times. We're up
for meeting anyone with good ideas and an open mind. We all want fewer
break-ins.
-Bob
--
Bob Mahoney http://web.mit.edu/bobmah/
MIT Network Operations 617/253-0774
