LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-23-2005, 04:45 PM   #61
Bill Johns
Member
 
Registered: Mar 2005
Distribution: Zenwalk for now
Posts: 82

Rep: Reputation: 15

I did read something about windoze versions having a back door in security or encryption so the NSA or one of those 3 letter departments could freely access your info.
And with all those hidden files it makes a person wonder whats up.
 
Old 04-23-2005, 07:48 PM   #62
xathras
LQ Newbie
 
Registered: Jun 2004
Posts: 25

Rep: Reputation: 15
heres a very quick way to make an expensive door stop as it was refered to in one of my posts.

iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP

Then having a cron job to do an iptables -F every 30 mins to reset the firewall script just in case you lock yourself out, without forgetting to do a IPTABLES -P FORWARD ACCEPT.....
 
Old 04-23-2005, 08:10 PM   #63
predator.hawk
Member
 
Registered: Aug 2004
Location: USA
Distribution: FreeBSD-5.4-STABLE
Posts: 252

Rep: Reputation: 30
Quote:
Originally posted by Greg Haynes
to answer the is it more secure question, in my opinion (although im sure to get bashed for this by many a people) linux is not more secure right out of the box than most distros. Before i get bashed by all of mankind who knows anything about computers, linux is far more secure if your willing to dig in and make some adjustments. Also alot faster. So if your talking about considerable money trnsactions i would use linux, but i would suggest using grsecurity, which considerably hardens the kernel.
<rant>
grsecurity is VERY flawed, it's protection messure's can't stack up against a combination of special patches. It's buffer overflow protection is laughtable, it's RBSAC is also quite laughtable. Using grsecurity is a horrible idea, hell I don't even know why it exists aside from stupidity. My personal preference for RSBAC is SELinux or LIDS. For buffer protection, there really is only one, execshield-nx, which can actually take advantage of No Execute on x86 system's running a AMD64 chip. grsecurity is horrible because it just doesn't get anything completely right.
</rant>

Edit: Also, RSBAC and LIDS are two different types of system, LIDS is a MAC system, similer to SELinux but LIDS allows better controll then SELinux in most cases.

Last edited by predator.hawk; 04-23-2005 at 08:16 PM.
 
Old 04-23-2005, 08:44 PM   #64
xathras
LQ Newbie
 
Registered: Jun 2004
Posts: 25

Rep: Reputation: 15
I think the comments in regards to linux out of the box not secure compared to windows actually fairly interesting.

I believe while Windows is actually tighter out of the box, linux has its advantage because there are plenty of tools out there to harden your box to extreme measures that a windows box my not necessarly be able to do.

To me as an onlooker and user of both windows xp and linux environments centOS 3.4 at the moment I have personally benefited from the flexability of linux, the documentation, linux community and freely available sourcecode to adapt things to my own needs
 
Old 04-24-2005, 09:05 AM   #65
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
Quote:
My personal preference for RSBAC is SELinux or LIDS.
This is most stupid statement in this tread I have read. LIDS (Linux Intrusion Detection System) is set of MAC controls
RSBAC is not SELinux
RSBAC means Rule Set Based Access Control which is more than MAC.
SELinux uses Role Based Access Control is more than MAC.

Yo can compare grsec to RSBAC or SELinux if you want. I believe that you have read somewhere something not understanding what is what.

By the way Steve Gibson usually has no idea what he is talking about. Best example: his nanoprobe could be used for quite some time to launch DOS attack. There is more abot him, no point do discuss.
Killing IE is really not efficient way of getting rid of MS sneaking around. Or rather user leaving traces of computer usage everywhere.

Last edited by broch; 04-24-2005 at 09:24 AM.
 
Old 04-25-2005, 10:20 AM   #66
69_rs_ss
Member
 
Registered: Jan 2004
Location: NY, USA
Distribution: Arch, openSUSE 11.1
Posts: 170

Rep: Reputation: 31
Quote:
Originally posted by Bill Johns
I did read something about windoze versions having a back door in security or encryption so the NSA or one of those 3 letter departments could freely access your info.
And with all those hidden files it makes a person wonder whats up.
I read that too. It was a book called "Digital Fortress" by Dan Brown. Other then that, I haven't seen it anywhere as a real topic.

Last edited by 69_rs_ss; 04-25-2005 at 10:25 AM.
 
Old 04-25-2005, 11:10 PM   #67
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Quote:
Originally posted by 69_rs_ss
I read that too. It was a book called "Digital Fortress" by Dan Brown. Other then that, I haven't seen it anywhere as a real topic.
You mean like this one taken from these ?

 
Old 04-26-2005, 11:01 AM   #68
69_rs_ss
Member
 
Registered: Jan 2004
Location: NY, USA
Distribution: Arch, openSUSE 11.1
Posts: 170

Rep: Reputation: 31
Reading the links you posted, so far all I see is it is speculation. From the first article:
Quote:
"We checked some older files going back to 1998 and found the NSA markings," said Richard Smith, president of Phar Lap Software. "NSA could be an abbreviation for anything, such as non-standard authentication."
If it truly is a backdoor then that is sad. That backdoor should be taken out of the OS then.
 
Old 04-26-2005, 11:11 AM   #69
xathras
LQ Newbie
 
Registered: Jun 2004
Posts: 25

Rep: Reputation: 15
Depends on the legality of its use.

For example a government agency cannot just simply tap your phone for the hell of it but they can if they are authorised to do so my an official.
 
Old 04-26-2005, 01:04 PM   #70
chris318
Member
 
Registered: Feb 2005
Distribution: Slack
Posts: 122

Rep: Reputation: 19
This thread is silly. If the NSA wanted to get into your computer they don't need a "second key" to do it. They are the NSA for cryin out load, they can easily get into your computer without being given a key. You can encrypt it anyway you like and they will still easily get whatever they want.. It is what they do... break encryption that is and they are extremely good at it and don't need "second keys".

Last edited by chris318; 04-26-2005 at 01:29 PM.
 
Old 04-26-2005, 02:55 PM   #71
xathras
LQ Newbie
 
Registered: Jun 2004
Posts: 25

Rep: Reputation: 15
Quote:
Originally posted by chris318
This thread is silly. If the NSA wanted to get into your computer they don't need a "second key" to do it. They are the NSA for cryin out load, they can easily get into your computer without being given a key. You can encrypt it anyway you like and they will still easily get whatever they want.. It is what they do... break encryption that is and they are extremely good at it and don't need "second keys".
100% agree if the NSA wanted to look into your system they will. Besides you would of had to do something illegal and naughty enough for them to even get to this stage. Anyway who needs a key to get access to your system when the NSA could get a warrant like any government agency
 
Old 04-28-2005, 09:08 PM   #72
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Quote:
Originally posted by 69_rs_ss
Reading the links you posted, so far all I see is it is speculation.
Were you paying attention?

Quote:
In a faxed statement, the NSA said: "U.S. export control regulations require that cryptographic APIs [of which the key is one element] be signed. The implementation of this requirement is left up to the company." API stands for application programming interface.

Microsoft's Culp said that "as part of the crypto licensing process, CryptoAPI was reviewed by the NSA. We presented the crypto architecture to the NSA, including the backup key, and they approved that."
It's all fairly moot of course, since I'm guessing the keys have been changed since 1999 when this story was all the rage ...

As for the NSA -- I know everyone likes to think that they can bend steel with their minds and walk through walls and silly things like that, but computers and math don't bend to imagination ... It's just ones and zeros ...

As an example of why the idea of the NSA guessing keys to crypto systems is just silly, let's look at 128bit IDEA.

Quote:
128bits in base 10 is 340,282,366,920,938,463,463,374,607,431,768,211,456. To recover a particular key, one must, on average, search half the keyspace. That is 127 bits or 170,141,183,460,469,231,731,687,303715,884,105,728.

If you had 1,000,000,000 machines that could try 1,000,000,000 keys/sec, it would still take all these machines longer than the universe as we know it has existed and then some, to find the key. IDEA, as far as present technology is concerned, is not vulnerable to brute-force attack, pure and simple.
There's more here.
 
Old 04-28-2005, 09:35 PM   #73
xathras
LQ Newbie
 
Registered: Jun 2004
Posts: 25

Rep: Reputation: 15
why not close the thread before it gets silly
 
Old 04-28-2005, 10:19 PM   #74
sigsegv
Senior Member
 
Registered: Nov 2004
Location: Third rock from the Sun
Distribution: NetBSD-2, FreeBSD-5.4, OpenBSD-3.[67], RHEL[34], OSX 10.4.1
Posts: 1,197

Rep: Reputation: 46
Why not leave it open so the adults can have a constructive conversation?
 
Old 04-28-2005, 10:36 PM   #75
chris318
Member
 
Registered: Feb 2005
Distribution: Slack
Posts: 122

Rep: Reputation: 19
The NSA does a lot more than just guess. They have the some of the smartest mathematicians, engineers, and computer geeks in the world thinking of ways to break encryption. Most of the algorithms and computer hardware they've developed is kept top secret so we no one knows for sure exactly what they are capable of. I'm sure they like it that way.

I'm also sure they are not using the stupid brute force method suggested. I'm sure their algorithms are a bit more complicated and efficient than that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
The Most Secure Linux System Is Embedded Linux That's Jumpered t3gah Linux - Security 2 06-12-2005 08:49 PM
VSFTPD with secure & non-secure logins Ricci Graham Linux - Software 5 04-07-2005 04:12 PM
Secure email (SSL vs. secure authentication) jrdioko Linux - Newbie 2 11-28-2004 01:39 PM
Linux Secure? garr0323 Linux - General 7 02-15-2004 02:52 PM
boot options: linux-secure, linux-nonfb etc Li-Wen Linux - General 1 01-17-2004 02:14 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration