InfoWorld: U.S. government moves to secure Linux; will NSA's efforts shape the future of security?Feb 05, 2001, 23:33 (6 Talkback[s])
(Other stories by P.J. Connolly)
"Last month's unveiling of the National Security Agency's attempt to create a truly secure Linux was the first good security news of the year. On Jan. 2 the NSA announced that it had been figuring out how to harden the popular open-source OS, and that it was sharing its prototype, dubbed Security-Enhanced Linux, and source code with the public...."
"So why is Fort Meade, Md., suddenly a hot spot for Linux security enhancements? Well, Linux is no longer strictly an OS for longhaired, ponytailed types; the Feds use it too. Some of the Linux gurus and security experts quoted in press reports were skeptical of the agency's intentions, although the NSA is making its enhancements available under the GNU Public License (GPL), and the source code is, as noted, available for inspection. That's a better deal than we're getting with Carnivore, in case one is concerned with bona fides.,,,"
"One of my beefs about Linux is that it's a bear to secure. Few distributions (Red Hat being a notable exception) offer any tools for automating the process of downloading and installing system patches that affect security. In most cases, you're running a command-line tool, which is tolerable when you have to install one or two patches. But when you're setting up a new Linux machine, you may have dozens of these to add before the system is safe to connect to a public network."
"The bad news is that the NSA's Security-Enhanced Linux prototype doesn't do anything to address that problem, nor should it; that's a vendor's responsibility, and it's a shame that few have recognized their obligation to make this process easier. The good news is that the agency is using its decades of experience in securing its own machines to help with the greater chore of fortifying the OS itself and making the system architecture less vulnerable to assault."