|
| |
Unix System Security
|  |
|
|
Unix has come a long way in the area of security since earlier
days. There are still lots and lots of holes to be exploited by
Bad Guys however.
|
|
A good package for finding common (and not so common) holes in your
Unix system security is
COPS
by Dan Farmer. This and many other useful tools are available from
the CERIAS FTP Archive at Purdue University. They also maintain the know
universe's premier security hot list
|
|
For a time, I maintained a Unix host utility called
op, a program for managing root access on
Unix systems. It was written by Dave Koblas after a design by Tom
Christiansen. (Tom couldn't release his code because of objections
by his employer.) I noticed the other day that it has made it into
the FreeBSD ports collection. What's funny about this is, I have
been using sudo for
that sort of thing for years. Op has a couple of features that sudo
doesn't, but it's not being actively maintained like sudo is.
|
|
I recently released sudoscript, a
pair of Perl scripts that allow you to run a root shell with logging
under sudo. If you'd like to know why you might want to do such a
thing, check out the link.
|
| |
TCP/IP Network Security
|  |
|
|
TCP/IP network security has also come a long way since the birth of
the Internet. The IETF has
been working on a set of standards for TCP/IP security collectively
known as IPSEC. These standards form the basis for working IPSEC
implementations from dozens of vendors. I used to work for one such
vendor, the CIPS division of Nokia. Alas, they are no more, like so many promising (and
otherwise) players in the dot com boom. In subsequent jobs, I've
had fun getting their hardware working with KAME, the IPSEC stack used in
the free *BSD projects, and with FreeS/WAN, the Linux IPSEC
project.
|
|
Even without a full-blown IPSEC product, there's still
much you can do to secure communications over the Internet. One useful
tool is SSH
or "Secure Shell".
This software encrypts communications over TCP/IP networks using
a variety of strong algorithms. It uses public key cryptography for
authentication and key
exchange. In recent years, the OpenSSH project has emerged with a high quality, open source
implementation of the SSH1 and SSH2 protocols. It's tightly coupled with
the OpenBSD project, which
aims to maintain a "secure by default" BSD Unix derived
operating system. Fortunately, volunteers at OpenSSH work at producing a
portable version
of the OpenSSH package. This has been hugely successful, and OpenSSH
now comes standard with a variety of free operating systems. Given
the surge in popularity of these operating systems, this means that
OpenSSH has made a significant contribution to Internet host and network
security.
|
| |
Internet Privacy
|  |
|
|
Why should I be concerned about my privacy on the Internet? I've got
nothing to hide, after all. And don't those terrorists use
encryption? It must be baaad stuff!
|
|
Privacy is a concern if you are a consumer, and the people who are
trying to sell you stuff want to know everything they can about
you. They don't want this information so they can help you to make
rational buying decisions. They want it so they can match you
against psycho-social profiles that in turn tell them the best way
to get you to make irrational buying decisions! You
may need privacy if you must communicate with someone who has
threatened you, or may do so. And finally, who the hell's business
is it to ask why you need privacy?
|
|
There are lots of good tools out there to help keep your data
private. GNU Privacy Guard is one such application, compliant with the OpenPGP
standard, described in RFC2440. It's a
file and email encryption program that works really, really well.
<free-speech-tirade>
Osama bin Laden may or may not have used PGP, but, to borrow a
phrase from the gun lobby, if you outlaw encryption, only outlaws
will have it. Software isn't far removed from the ideas it
embodies. One merely has to express an idea in a particular
succinct way to turn it into software. This means that it's almost
as hard to control the distribution of software as it is to control
the spread of an idea. Neither is quite impossible, just so
difficult as to be nearly always impractical.
Since this is so, it is folly to attempt to suppress a technology
with obvious benefits (encryption can be an enabler of commerce and
a protector of freedom) to try and keep it out of hands that would
use it for nefarious purposes. Those hands will be filled with the
tools whatever you do.
</free-speech-tirade>
|
| |
| |
