Get the LinuxSecurity news you want faster with RSS
Powered By
Linux Security Week: January 14th, 2008
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas
This week, the most interesting articles include "How to Mangle Information: Coverity's Open Source Bug Report," "Linux Laptop Strategies," and "11 Open Source Projects cleared as Secure."
Linux+DVD
Magazine Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of Open
Source software. The majority of our readers is between 15 and 40 years old.
They are interested in current news from the Linux world, upcoming projects
etc.
In each issue you can find information concerning typical use of Linux: safety,
databases, multimedia, scientific tools, entertainment, programming, e-mail,
news and desktop environments.
LinuxSecurity.com
Feature Extras:
Open Source Tool of the Month: GnuPG! - It’s the new year! And to start it off right, LinuxSecurity.com wants to start things off with January’s Open Source Tool of the month: GnuPG!
Encryption is one of the main pillars of security, and GnuPG is a robust and flexible tool with great functionality that is fully GPL Licensed. And since it just celebrated its landmark 10th Anniversary, it was an easy choice for our tool of the month.
Ten years is a long time in the open source community; a very long time. Lasting a decade, especially in these years of open source development, is nothing short of remarkable. And like all great open source projects, it came from humble beginnings - it was initiated as a way to encrypt data without relying on restricted patents (namely RSA and IDEA) by Werner Koch from Germany. Why?
Back in 1999 Richard Stallman was interested in pursuing a PGP replacement after existing patents had run out and had decided to turn to European developers...
Master's Student: A Quick and Dirty Guide To Kernel Hardening with GrSecurity - Our resident Master's student Gian Spicuzza chimes in this month with a great feature HowTo on Kernel Hardening! There are a number of ways to lock down a system, and RBAC (role based access control) is one of them. Read on to learn more about what makes RBAC so useful, and to read one of the best overviews on Low/Medium/High Security... The combination of the Linux kernel and GNU packages has always been regarded as a secure operating system, but can it be more secure? Kernel hardening is the answer to tightening up the Linux backbone. GrSecurity, a kernel patch for Linux, is one of the more popular approaches...
One of the most significant feature is the addition of a role-based access control system (RBAC) that monitors what each user can execute based on their role and denies execution if they overstep their pre-defined rules.
Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week's most relevant Linux security headline.
EnGarde Secure Community v3.0.18 Now Available! (Dec 4)
Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.18 (Version 3.0, Release 18). This release includes the brand new Health Center, new packages for FWKNP and PSAD, updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, as well as other new features.
In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database and e-mail security, integrated intrusion detection and SELinux policies and more.
Emily Ratliff, a blogger and "architect for Linux Security, Quality, and Support for IBM’s Linux Technology Center," lists her most pressing stories in open source security this week. Below is the list, click-through to her blog and check out her insight...
The Fedora Weekly News Issue 114 (dated Dec. 31, 2007) describes three “SELinux Rants” along with the response from the Fedora community.
Interview with Bruce Schneier called Bruce Almighty: Schneier preaches security to Linux faithful (dated Dec. 27, 2007)
11 open-source projects certified as secure
Data center robbery leads to new thinking on security is an interesting look at the data center break-in that occurred last October.
Unicornscan v0.4.7 Released for Download - Fast Port Scanner (Jan 10)
Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.
Have you heard about the port scanning tool called Unicormscan? There are so many port scanning tools out there but do you think Unicornscan has any advantages of the others?
How to Mangle Information: Coverity's Open Source Bug Report (Jan 10)
The recent awareness on Coverity's test on Open Source projects has been making the rounds non-stop in the past days. The issue at hand here is the inherent value in what Coverity is actually providing - that is, identifying bugs in software to improve its quality.
Coverity's model is certainly one way of addressing the quality of code in an open source project. In fact, it can be a very useful model. They stated that 11 of the projects were cleared based on their "rung" system, among other observations.
But the issue is that many venues are mangling the information. First they are not stating closed source bugs/problems. Obviously, you can't compare two sides by only counting the faults on one side. To be more clear, awareness of the # of bugs in open source projects has absolutely no bearing on the absolute value of problems relative to other closed-source projects. They are exclusive of each other. Not to mention the fact that more awareness of bugs may account for bad press, but can allow for better overall security (knowledge is power).
The real problem here is that many of those covering the story are portraying it in the worst way imaginable; and in some cases, they are outright inaccurate.
Case in point, the following comment was found on the open source blog at ZDNET regarding the Firebird project - its an example of how sometimes percpetion can be misconstrued...
How much do you use your Linux laptop? Sometimes securing you mobile computing is a hardware issue - but do those strategies change depending on your operating system of choice?
While you can find dozens of products to secure Windows laptops, security products for Linux laptops are scarcer -- but they do exist. We found a range of products and fixes ranging from security patches for the operating system to encryption to the equivalent of computer bicycle locks which can help keep your Linux laptop or notebook safe.
11 Open Source Projects cleared as Secure? (Jan 8)
Coverity, which creates automated source-code analysis tools, announced late Monday its first list of open-source projects that have been certified as free of security defects.
Eleven projects made the list: Amanda, NTP, OpenPAM, OpenVPN, Overdose, Perl, PHP, Postfix, Python, Samba, and TCL.
This list of projects may seem fair and equitable. And certainly, Perl, Postfix, Amanda and others can be very secure. But PHP? Granted, the project is done with a contract from DHS as well as association with Stanford University. And their certification boasts...
What inspired you to write Nmap, and what were your early expectations?
Nmap was mostly written during the summer of 1997, which I spent in Baltimore working as a teaching assistant at Johns Hopkins University. They set me up in a dorm room with Ethernet connectivity, giving me a new network to explore. At the time, I had a directory full of port scanners, such as Strobe for connect scanning, Reflscan for SYN scanning, and the UDP scanner from SATAN. I hacked them all to add options and features, but still found them frustrating to use. So I decided to write my own dream port scanner which would be faster, and support all the scan types and options I wanted.
Most of us have used nmap but few of us know who created this tool. This article interviews Fyodor the creator of Nmap.
