lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed May 11 22:08:44 2005
From: bkfsec at sdf.lonestar.org (bkfsec)
Subject: KSpynix ::: the Unix version of KSpyware? (Proof
	Of Concept)

James Tucker wrote:

>>Well, yeah, but I still wouldn't be throwing away GNU/Linux just yet on
>>that front.   I would argue that it's still entirely possible to build a
>>GNU/Linux system that is more secure than a MS Windows system,
>>relatively speaking.  (Note: I am not saying that GNU/Linux doesn't have
>>its share of security issues and I am not saying that one can't create a
>>well-secured Windows server.)
>>    
>>
>
>I can understand that this is drifting off track, but as part of the
>community, how can you relaibly justify this? I don't mean to be
>facetious, but I have never seen any such justification in existence,
>furthermore if other aspects are considered such as average required
>development time to a 'secure' system the argument can be easily
>swung. Such a comment may have been  more acceptable if one were to
>use openbsd as an example, arguably. Again there are aspects which
>must be considered, but if we are refering to the operating system
>alone then should we consider the default install, the number of
>discrete settings which must be changed? the length of a script which
>performs these actions automatically? such judgements are hardly
>quantifiable - due to scalar issues.
>
>Remember, if the choice was clear, someone would have 'won' already.
>
>
>  
>
*sigh*

I know it because I've done it before.  Having access to the code means 
that you can change things you don't like and also that you can 
construct them from the ground up to meet your needs.  Dependancies can 
be removed.  Packages and services can never be installed if you don't 
need them.

Obviously, if you're going to create a system that is very difficult to 
get into, it's going to take some time.  However, having access to the 
code and the will to modify the system you can do some very good things.

Just by that fact one can construct a more secure system with a Free 
Software OS than any other proprietary system.

Keep in mind, I'm not talking about getting Red Hat and turning off all 
of the services.  I'm referring to building a custom system from source 
packages - although, you can, if you want, reverse any GNU/Linux 
distribution in the same way, if you so chose, but sometimes it's better 
to start from the ground up.

I don't need statistics to tell me that it can be done. 

Incidentally, the very acts that I'm referring to are the ones that put 
OpenBSD into existance.  And, if it makes you feel better, I'd include 
OpenBSD in the statement.
            
                -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ