[NBLUG] Article "Why BSD will never be as secure as Linux"
Rick Moen
rick at linuxmafia.com
Mon May 14 10:43:14 PDT 2001
begin ME quotation:
> Background information on the author is helpful for this.
No, that would be (or would be close to) argumentum ad hominem.
Detailed examples of what (I claim is) Kurt's characteristic tendencies
as an author at work might be useful. But I'm not at all sure I have
the time to do that.
But let's see what I can dig up, here:
[begin snippets from postings elsewhere:]
Date: Sun, 25 Feb 2001 16:45:47 -0800
To: pigdog-l at bearfountain.com
Subject: Re: [Pigdog] Linux distro suggestions for CoLo box`
begin PaoTzu quotation:
> If you want real linux security advice without paying a real sysadmin
> (most of them already have jobs) check out the lasg at seifried.org.
> Good stuff.
Kurt Seifried reads this list, and knows what I think of his often
mangled, derivative, and overblown security articles, so HI, KURT!
The need to consult _real_ security information rather than seifried.org
and securityportal.com was never clearer than when Kurt wrote his
laughably bad article on the alleged sky-is-falling threat of man in the
middle attacks against SSH.
Look it up, read, laugh heartily -- and then look elsewhere from that
point onwards.
(Yes, he does also write some good stuff. Sometimes. When he's not
whining that his copy of Microsoft Outlook Express can't read my
postings.)
>From rick Sun Feb 25 20:20:08 2001
Date: Sun, 25 Feb 2001 20:20:08 -0800
To: pigdog-l at bearfountain.com
Subject: Re: [Pigdog] Linux distro suggestions for CoLo box`
begin El Snatcher quotation:
> That is some good advice!
> http://seifried.org/pictures.html#null
Ol' Chuckles himself, Kurt Seifried, is at http://www.seifried.org/ .
Kurt's LASG (Linux Administrator's Security Guide) project,
http://www.securityportal.com/lasg/, has been superseded by his Linux
Security Knowledge Base, http://www.securityportal.com/lskb/ .
Pretty shallow stuff, for starters. It reminds me of one of those
kilopage Cue or Sybex books that you buy because they're fat and you
don't know anything about the subject, you spend a month wading through,
and then you foolishly blame yourself for not emerging much wiser, not
knowing that the thing was just poorly written.
Kurt seems to favour big, fluffy, GUIfied tools. Seems about fitting
for an Outlook Express user.
http://www.securityportal.com/lskb/10000000/kben10000034.html, "SSH
Solutions for Linux": Heh, even though he knows about my ssh-clients
list at http://www.linuxmafia.com/pub/linux/security/ssh-clients, he
doesn't act on that knowledge. Nothing about MindTerm, MindVNC,
F-Secure SSH, OSSH, or AppGate -- and he mistakenly refers to LSH as
"psst". Because, of course, he never looked deeper than the top of the
maintainer's Web page.
Our friend Kurt is, above all else, a dedicated self-promoter, so he
links only to his own articles on his SecurityPortal site, and not
(e.g.) to the SSH FAQ, any non-SecurityPortal articles, or any of the
other standard SSH resources.
Oh yes, and one of my personal favourites:
http://www.securityportal.com/lskb/10000000/kben10000002.html, "Securing
the LILO Bootloader". Ooh, Kurt has discovered all sorts of neato ways
for users to lock out their own IS staff, which he justifies at length
in SecurityPortal articles on grounds that "anything that slows down the
bad guys is good" (paraphrasing). People who did this kind of bullshit
on their workstations used to hassle me endlessly, when I was chief
sysadmin at $PRIOR_FIRM.
Real sysadmins, of course, put the security-sensitive parts of their
servers in controlled-access server rooms. They don't do this bullshit
of "slowing down" people who've gained physical access. But Kurt of
course, being the Microsoft weenie that he is, has bought into the
notion of having important machines in public-accessible areas. Ergo,
he wants to "protect" the boot process, password-protecting lilo,
preventing workarounds like "linux init=/bin/sh", and locking the BIOS
into harddrive-booting-only mode with its own password.
I used to encounter workstations locked down that way at $PRIOR_FIRM.
Chowderhead would tell me, "Please fix foo on my company-issued
workstation. My root password is bar." And then he would leave for the
day. I would arrive, find that he'd given me the wrong root password,
and that he'd also done everything possible to prevent me from getting
in and helping him. Unlike a _real_ intruder, I didn't want to simply
zero his CMOS memory and make his precautions irrelevant, because he
might have settings in there he needed. More to the point, unlike a
real intruder, I wouldn't just yank his hard driver out, laughing at his
"security measures".
So, after about five minutes of being hassled, I'd say to myself, "You
know, if Chowderhead is going to be like that, he can fix his own
fscking workstation." And next day, he would come whining to me, saying
"But Kurt Seifried told me it was a good security habit."
And, oh yes:
http://www.securityportal.com/lskb/10000000/kben10000016.html, "Securing
the Linux Console": Workstation users should deliberately deprive
themselves of the ability to induce an orderly shutdown and reboot with
Ctrl-Alt-Del, so that when they badly need to regain control and force a
shutdown to prevent filesystem damage, they can't. Right, Kurt. Sure.
And so on. What we have here is a semi-clued technophile who's played
around perfunctorily with a bunch of security gimmicks -- almost
entirely on Red Hat, of course -- and tries to urge their application
whether useful or not, as supposedly making him a security expert.
Don't waste your time on Kurt or his piss-poor recommendations,
gentlemen. There are real security books, real experts, and real
security sites.
[end snippets from postings elsewhere]
> I think at this point we just have differing opinions.
"Just"?
> I can see the value in your side of the argument, but it does not
> change my opinion.
Cheap-ass intellectually-lazy California relativism. Figures.
> It is the old "commercial" to advertise about new stuff, but require
> the patron to do their own research vs. having the beginner start
> learning how to secure a system in a systematic fashion while their
> system remains open to certain attacks.
No, man, you're missing my point: I'm saying that Kurt gives actively
bad advice. Reading what he says on security is often a subtractive
process: While previously you were ignorant, afterwards you will "know"
things that are simply not so.
> Do you recall any good security presenters from your LUG that might be
> willing to come up to NBLUG to offer a security presentation?
No. I deliberately ignored your question the first time, because I'm
not going to toot my own horn as a security writer in the same e-mail
where I criticise Kurt's writings. You might want to ask Marc Merlin
to give his talk about more aspects of password security than you would
have thought possible.
--
Cheers, Microsoft Corporation Gandhi-o-meter, revision 2001-05-03 beta01.
Rick Moen "They ignore you." "They laugh at you." "They fight you." "You win."
rick at linuxmafia.com WE ARE HERE.>> ^^^^^^^^^^
More information about the talk
mailing list