Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I did read something about windoze versions having a back door in security or encryption so the NSA or one of those 3 letter departments could freely access your info.
And with all those hidden files it makes a person wonder whats up.
heres a very quick way to make an expensive door stop as it was refered to in one of my posts.
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Then having a cron job to do an iptables -F every 30 mins to reset the firewall script just in case you lock yourself out, without forgetting to do a IPTABLES -P FORWARD ACCEPT.....
Originally posted by Greg Haynes to answer the is it more secure question, in my opinion (although im sure to get bashed for this by many a people) linux is not more secure right out of the box than most distros. Before i get bashed by all of mankind who knows anything about computers, linux is far more secure if your willing to dig in and make some adjustments. Also alot faster. So if your talking about considerable money trnsactions i would use linux, but i would suggest using grsecurity, which considerably hardens the kernel.
<rant>
grsecurity is VERY flawed, it's protection messure's can't stack up against a combination of special patches. It's buffer overflow protection is laughtable, it's RBSAC is also quite laughtable. Using grsecurity is a horrible idea, hell I don't even know why it exists aside from stupidity. My personal preference for RSBAC is SELinux or LIDS. For buffer protection, there really is only one, execshield-nx, which can actually take advantage of No Execute on x86 system's running a AMD64 chip. grsecurity is horrible because it just doesn't get anything completely right.
</rant>
Edit: Also, RSBAC and LIDS are two different types of system, LIDS is a MAC system, similer to SELinux but LIDS allows better controll then SELinux in most cases.
Last edited by predator.hawk; 04-23-2005 at 08:16 PM.
I think the comments in regards to linux out of the box not secure compared to windows actually fairly interesting.
I believe while Windows is actually tighter out of the box, linux has its advantage because there are plenty of tools out there to harden your box to extreme measures that a windows box my not necessarly be able to do.
To me as an onlooker and user of both windows xp and linux environments centOS 3.4 at the moment I have personally benefited from the flexability of linux, the documentation, linux community and freely available sourcecode to adapt things to my own needs
My personal preference for RSBAC is SELinux or LIDS.
This is most stupid statement in this tread I have read. LIDS (Linux Intrusion Detection System) is set of MAC controls
RSBAC is not SELinux
RSBAC means Rule Set Based Access Control which is more than MAC.
SELinux uses Role Based Access Control is more than MAC.
Yo can compare grsec to RSBAC or SELinux if you want. I believe that you have read somewhere something not understanding what is what.
By the way Steve Gibson usually has no idea what he is talking about. Best example: his nanoprobe could be used for quite some time to launch DOS attack. There is more abot him, no point do discuss.
Killing IE is really not efficient way of getting rid of MS sneaking around. Or rather user leaving traces of computer usage everywhere.
Originally posted by Bill Johns I did read something about windoze versions having a back door in security or encryption so the NSA or one of those 3 letter departments could freely access your info.
And with all those hidden files it makes a person wonder whats up.
I read that too. It was a book called "Digital Fortress" by Dan Brown. Other then that, I haven't seen it anywhere as a real topic.
Originally posted by 69_rs_ss I read that too. It was a book called "Digital Fortress" by Dan Brown. Other then that, I haven't seen it anywhere as a real topic.
Reading the links you posted, so far all I see is it is speculation. From the first article:
Quote:
"We checked some older files going back to 1998 and found the NSA markings," said Richard Smith, president of Phar Lap Software. "NSA could be an abbreviation for anything, such as non-standard authentication."
If it truly is a backdoor then that is sad. That backdoor should be taken out of the OS then.
This thread is silly. If the NSA wanted to get into your computer they don't need a "second key" to do it. They are the NSA for cryin out load, they can easily get into your computer without being given a key. You can encrypt it anyway you like and they will still easily get whatever they want.. It is what they do... break encryption that is and they are extremely good at it and don't need "second keys".
Originally posted by chris318 This thread is silly. If the NSA wanted to get into your computer they don't need a "second key" to do it. They are the NSA for cryin out load, they can easily get into your computer without being given a key. You can encrypt it anyway you like and they will still easily get whatever they want.. It is what they do... break encryption that is and they are extremely good at it and don't need "second keys".
100% agree if the NSA wanted to look into your system they will. Besides you would of had to do something illegal and naughty enough for them to even get to this stage. Anyway who needs a key to get access to your system when the NSA could get a warrant like any government agency
Originally posted by 69_rs_ss Reading the links you posted, so far all I see is it is speculation.
Were you paying attention?
Quote:
In a faxed statement, the NSA said: "U.S. export control regulations require that cryptographic APIs [of which the key is one element] be signed. The implementation of this requirement is left up to the company." API stands for application programming interface.
Microsoft's Culp said that "as part of the crypto licensing process, CryptoAPI was reviewed by the NSA. We presented the crypto architecture to the NSA, including the backup key, and they approved that."
It's all fairly moot of course, since I'm guessing the keys have been changed since 1999 when this story was all the rage ...
As for the NSA -- I know everyone likes to think that they can bend steel with their minds and walk through walls and silly things like that, but computers and math don't bend to imagination ... It's just ones and zeros ...
As an example of why the idea of the NSA guessing keys to crypto systems is just silly, let's look at 128bit IDEA.
Quote:
128bits in base 10 is 340,282,366,920,938,463,463,374,607,431,768,211,456. To recover a particular key, one must, on average, search half the keyspace. That is 127 bits or 170,141,183,460,469,231,731,687,303715,884,105,728.
If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec, it would still take all these machines longer than the universe as we know it has existed and then some, to find the key. IDEA, as far as present technology is concerned, is not vulnerable to brute-force attack, pure and simple.
The NSA does a lot more than just guess. They have the some of the smartest mathematicians, engineers, and computer geeks in the world thinking of ways to break encryption. Most of the algorithms and computer hardware they've developed is kept top secret so we no one knows for sure exactly what they are capable of. I'm sure they like it that way.
I'm also sure they are not using the stupid brute force method suggested. I'm sure their algorithms are a bit more complicated and efficient than that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
