osOpinion: Linux Security, or Rather, the Lack ThereofSep 21, 2000, 07:15 (13 Talkback[s])
(Other stories by Joeri Sebrechts)
[ Thanks to Kelly McNeill for this link. ]
"Then, the worst thing happened, high-speed Internet finally took off. Entire crops of default Redhat installs invaded the Internet, often running for weeks on the same IP. It didn't take long for the script kiddies to find out what an easy source for zombie machines these are, and started taking down sites "just for fun" with the most lame attack possible, the denial-of-service. DoS attacks require no skill. I could teach my mom how to do it in 15 minutes. But the fact that they're lame doesn't make them harmless. In fact, all those newbie users with their default Redhat installs are unknowingly helping script kiddies to cause billions of dollars in damage every year, simply because the script kiddie owns the bandwidth of every cracked PC and can thus saturate it by directing a ping flood at a site. Because of this, a profound dislike has developed against newbie users who don't keep their systems upgraded amid the *nix crowd. But it's not the users who are in error."
"Recently I made my very first server install. I had weeks of time on my hands (blessed is the student's life) so I wanted to do it thoroughly. I learned everything there is to learn in the field of securing your system. I started out with what everyone is supposed to know, firewalls, tcp wrappers, sudo, and then worked myself down to the details. I was horrified to discover how evil distribution manufacturers really are. Most distro companies make their distributions with little thought to security in mind. (Yes, I know you've heard that before. I did too. But it never "sinks in".) There are hundreds of ways to make a Linux install more secure, but none of these companies apparently know of them. Some have glimpses. There are some who have a default install that's reasonably secure (go Debian!) or others have options allowing you to specify how secure you want your install to be, but this changes nothing to the picture. You see, they expect the user to choose the most secure option he needs, but how can a newbie know this? A newbie barely knows cd, cp and ls. How could he know about the relative security of different applications?"