|
 |
| Fri, May 16th | home | browse | articles | contact | chat | submit | faq | newsletter | about | stats | scoop | 01:10 PDT |
|
|
login « register « recover password « |
|
| [Article] | add comment | [Article] |
|
| Theme topics | Apps | Resources | Window Managers | Afterstep | Blackbox | Enlightenment | Fluxbox | GTK | IceWM | KDE | MetaCity | Sawfish | Window Maker |
|
|
|
Maximum Linux Security's author is clearly ignorant of cryptographer Bruce Schneier's claim that "Security is a process, not a product." At its best, this book is a catalogue of useful security tools. However, very little context is provided for these tools. There is no discussion of particular vulnerabilities and how they are exploited, of network architecture and the difficulties inherent in TCP/IP networking, or of application-level problems. Copyright notice: All reader-contributed material on freshmeat.net is the property and responsibility of its author; for reprint rights, please contact the author directly.
Part one, "Linux Security Basics", covers some introductory material, physical security, Linux installation, and basic Linux system administration. Part two, "Linux User Security", covers password security and cryptography. Part three, "Linux Network Security", covers trojans and viruses, sniffers, scanners, and spoofing. Part four, "Linux Internet Security", covers various servers that can run on Linux boxes, including FTP, mail, Web, and firewalls, along with logging and disaster recovery. Part five, the appendices, are little more than shovelware listings of programs and vulnerabilities. The book's intended audience is unclear. Too much basic system administration is covered to make the book palatable to all but the rawest novice administrators, but without detailed discussions of system architecture or security issues, it cannot catapult these readers into the realm of security-aware readers. Much of the book reads like a laundry list of past exploits; as these have all by definition been discovered and repaired, they are of limited utility. Had these exploits been used to illustrate security concepts or modes of attack, they might have proved useful. Though the anonymous author is billed as an experienced hacker, methodology of attacks is rarely discussed. The exception is the coverage of password attacks which, while still important, are less important than they used to be. When biometrics are discussed, weaknesses of these systems are not mentioned, nor are possible attacks against them. Given the success of simple techniques in thwarting these systems, some consideration of them would have been apropos. Similarly, social engineering, one of the most fruitful of hacking techniques, does not even appear in the index. One can certainly believe that the author has broken into a number of systems; this would explain the morbid focus on exploitable packages and the scattershot nature of his understanding. (Though the author's name is not given, his biographic blurb definitely indicates that he is male.) Cryptographic applications such as Gnu Privacy Guard are covered, but the essentials of public-key cryptography are ignored, as are issues of key distribution and certificate hierarchies. Even his hacking knowledge, however, is out-of-date at best. For example, ethernet switches are recommended as a security measure to prevent sniffing traffic. In fact, for quite a number of years, software has been available that tricks switches into becoming hubs. The existence of these MAC flooders is not acknowledged, nor are even theoretical weaknesses suggested. The chapter on network scanners assumes reader knowledge of the TCP protocol, including the three-way handshake and the various flags. It is not clear, however, from the laundry list of scanning tools, that the author understands the underlying mechanisms by which any of these tools operate. The information in this list is sadly out-of-date. It seems to indicate that the Jakal scanner's stealth techniques will prevent discovery of such scans. In fact, on most modern networks (and even with many tools that predate Jakal), the illegal flag combinations set on these packets are much more obvious than non-stealth scanning techniques. Other information is equally out-of-date. The section on basic system administration relies on Linuxconf. Linuxconf has had quite a long security history and is no longer included in most Linux distributions. Even Red Hat, long one of Linuxconf's proponents, no longer ships Linuxconf. Should a user be able to download and install Linuxconf from scratch, the user will find the system administration tutorial to be an insult to his or her intelligence. The official Red Hat documentation does a much better job in any case. Appendix A, the "Linux Security Command Reference", appears to be useful at first. It lists many security applications and provides descriptions. However, some items (such as "exports") are files, not commands, and for commands that are noted as "add-on" applications, no source is provided. The failure to list any means of acquiring these packages is unfortunate, and negates most of the usefulness of this appendix. There is information in the book that would help a system administrator secure his or her system. However, that information is not consolidated, and is never expressed as a principle. Had the book discussed the principle of least privilege, the principle of minimalism, or the importance of promptly installing security updates, it might have proven useful. Instead, this information is scattered over more than eight hundred pages. Had the book served to describe the methodologies of system intrusion or defense, advanced system administrators might have gleaned some useful information from the text. Instead, however, concentrating on outdated exploits and half-understood hacking tools, the book accomplishes nothing of note. It is not recommended, except as a curiosity for the library of a completist. Author's bio: Jon Lasser is a Unix Systems Administrator, Lead Coordinator for the Bastille Linux Project, and author of Think Unix. He's never bothered to take a computer course, except a single Pascal class in high school. He lives in Baltimore with his three cats: Mallet, Dashigara, and Spike. If for some reason you want to know more, check out his home page. T-Shirts and Fame! We're eager to find people interested in writing articles on software-related topics. We're flexible on length, style, and topic, so long as you know what you're talking about and back up your opinions with facts. Anyone who writes an article gets a t-shirt from ThinkGeek in addition to 15 minutes of fame. If you think you'd like to try your hand at it, let jeff.covey@freshmeat.net know what you'd like to write about. [Comments are disabled]
[»]
Would you take advice from a moron? His home page states:
[»]
Re: Would you take advice from a moron?
As if you have any more credibility, attacking the man himself rather than the content of his review. Unless you can demonstrate any flaws in this review other than by ad hominem, he still has substantially more credability than you: His criticisms are reasonable, backed with evidence, third-party-verifiable and well-thought-out, while yours are overarching and make questionable assumptions (ie. regarding linkage between formal training and actual skill). In short: Unless you have something constructive to say, shut the f*ck up.
[»]
Re: Would you take advice from a moron?
[»]
Re: Would you take advice from a moron?
Simply because the truth of his statements have nothing to do with the value of the man who made them. Even if the author of this review were an idiot with no security knowledge or experience, that would still make it no less true (for instance) that many of the system administration instructions given in this book use Linuxconf, or that the book erroniously claims that the use of switches is an effective network security measure. The incompetance of the author of this review (even presuming such incompetance to exist) doesn't address book's the failure to discuss the fundamentals of public key cryptography, or that social engineering goes unmentioned. In short: The reviewer's words should be trusted or ignored on account of their truth or falsehood, not on account of what you know or think you know about him. If you think this is a bad review, tell me why it's a bad review. Don't tell me whether its author is knowledgable about information security -- that's off the topic. The topic is this book, and thus far I've seen nothing to counteract this reviewer's low opinion thereof. And in answer to your subject: I may not take advice from a moron (or any unknown source) blindly -- but if even a moron tells me that there's a scorpion in my boots, I'm shaking them out before stepping in.
[»]
Re: Would you take advice from a moron? i think even the best system administrator can perfectly do stupid things on his non-mission-critical systems, and i think most of them do (and when you are unemployed, there are probably better ways to spend your money than backup media)
[»]
Re: Would you take advice from a moron? No offense, but you are quite the dumbshit today. Since you seem to think your are a security god, tell me that you know what the Bastille project is. If not, why don't you look it up. Then look to see who the project co-ordinator is.
[»]
Re: Would you take advice from a moron?
--
[»]
Re: Would you take advice from a moron?
[»]
Re: Would you take advice from a moron? Maximum Linux security I think is geard toward youngsters interested in
becoming a uber linux hax0r, who just recently switched from Windows to
gnu/linux. I come to this point of view because many Linux security
administrators due to the needed technical understanding of running a
gnu/linux server are already familiar with, or should be with the tools
and concepts stated in the Linux Security Maximum book. The people
interested in this book are usually not interested in how or why the
utilites work the way they do rather they are interested in
hacking/defacing websites easily. For these users this book delivers.
--
[»]
Re: Would you take advice from a moron? I consider myself one of those people who was happy with Windows... but then found Linux. I recently migrated to Linux and have never looked back. A friend of mine, a guru as far as I'm concerned, gave me the book and said "this will get you started". True the book does not mention a lot of basic things new users should know... of course, who wants to read through a couple of chapters about 'this is the mouse and this is how you use the mouse'. Samething goes for a lot of the stuff that 'Should probably have been ATLEAST mentioned' but it was clear to me why it wasn't. The book was much like a laundry list, I admit, however! ..I did not finish the book and say to myself 'Ok, I really don't want to read anything else on Linux'. Quite the contrary, I wanted to read more on the areas, that where left out. Maybe the name of the book is the problem and not the content inside. Maybe it should have been titled: 'Beginners Guide to Maximum Linux Security' or 'The Road to Maximum Linux Security'. It's obviouse that there is a namming scheme, his other books, and the author may have been misleading the reader. In conclution though, I think the book is more usefull then not if you are beginner or an Intermediate to Linux, and will push you in the right direction, give you the questions to research. Yeah! What about backing up data? Hmmm Seems, like you should think.. MAXIMUM SECURITY before you go try to implement it....
|
|
