Re: Indy praised on linux.com

[jfm2@club-internet.fr]

David Webster wrote

> X-M-Uid: 6933.949198553
> 

David I think you should forward this to Jericho

> Jericho just wrote an article on open source security, and the attitude
> linux distributions take towards security. Indy gets mentioned, and put in
> a pretty good light (he perhaps a little over stated what we're doing, but
> I believe we have the attitude correct, and that's what counts). Jericho
> says he writes two articles a month for linux.com, and would be interested
> in writing a whole one one on Independence. I suggested that next time,
> when the file isn't done quite so quickly (he contacted me a couple of
> hours ago with the idea, and now it's finished), he speaks Jean as well.
> 
> The article can currently be found at:
> http://www.attrition.org/~jericho/works/misc/lc-one.html
> (will appear on security.linux.com soon)
> 
> Relevant parts:
> 
>    Why Linux Security Will Succeed
>      _________________________________________________________________
>    
> [...]
>    Two flavors of Linux stand out in the fight to maintain the most
>    secure platform possible. Both the RedHat and the Independence
>    distributions of Linux have made significant proactive efforts to
>    improve their out-of-box security. In singling these two distributions
>    out, I do not imply that other flavors of Linux are in any way
>    negligent, only that these two appear to be setting trends in the
>    Linux community.
> [...] (text "Independence" above has link to Indy's home page)
>    Another relatively new distribution has taken an interest in improving
>    system security by tightening file and directory permissions. Unix
>    descends from a spirit of sharing resources and information dating
>    back to the 70's, when security almost hindered daily operations too
>    much. It was a time where one administrator would quietly sneak into a
>    system to fix a bug that was preventing his system from sending mail
>    to a recipient, and just as quietly sneak back out without a word.
>    Because of the loose permissions on files and directories, this was
>    possible and encouraged users to fix their own problems. In today's
>    world, that ability to fix your own problems also translates into the
>    ability of an attacker to gain additional access and compromise the
>    integrity of a network.

Indy's attitude towards security is in making the distrib secure out
of the box because we cannot expect every Linux user has an
experienced sysadmin at hand.  However respective to internal attacks
it doesn't improve on RedHat (except for bugfixes) because we expact
most boxes will be single user boxes where the only reason people
don't connect as root is because using root allows costly mistakes.

The area where Indy improves upon RedHat is external security by
allowing the 'Personal station' class where we assume the user is not
sitting behind a firewall so we disable dangerous services and those
deemed useless for most private users.  The other difference towards
RedHat is that we provide software for disabling IP packets coming
from the outside and trying to connect to services on the box.  This
software requires near zero technical knowledge and this an important
aspect because no matter how theorically secure a system can be made
its vulnerability will be determined by the amount of time and
knowledge the user can spend in securing it.

-- 
		Jean François Martinez

Project Independence: Linux for the masses
http://independence.seul.org