[CoLoCo] (no subject)

Kevin Fries kfries at cctus.com
Tue Sep 25 22:09:24 BST 2007 

Phillip,

Neal is right.

No system can be secured from physical access.  That is why most large
companies keep the servers in a secured access room.  Given enough
processing power, no encryption, or lock mechanism can keep out someone
who wants in.  Except in the case of the IPhone, nobody will ever get
that on a Non-AT&T network, lol

Think about it this way... Why do you lock your car?  why do some people
buy theft deterrent systems, to prevent someone from stealing their car?
To keep someone from stealing their car? No, because that is impossible.
All you can do is make it harder and harder to steal that car.  The
better the system, the harder it is to steal.  But a tow truck can steal
any car, even one with the club.  The hope is the harder you make it,
the more likely a thief will just move on to someone elses car.

The same issue occurs with servers.  If I have physical access to the
server, I can always remove the hard drive, mount it on another system,
and read the files.  So physical access MUST occur if any real security
is possible.  So, you either need to encrypt your data, and/or deny
physical access.

Encryption is another technology that is designed to make it harder, not
make it impossible.  One of the biggest differences between Windows and
Linux is that these encryption tools come with Linux, and cost thousands
and thousands of dollars in Windows.  But always remember, if you can
encrypt it, somebody will eventually figure out a way to decrypt it.

The other difference between Windows and Linux is the degree to which
the two systems are secured from network access to your data.  Linux is
notorious for having bugs, but the vast majority of these bugs usually
cause crashes or DOS issues.  While Windows has its fair share of these,
they also have far too many remote execution, virus, and worm problems.
Some of the remote execution problems are well known and unfixable due
to Windows's structure.  Microsoft is constantly fighting to close as
many of these bugs as possible, as quickly as possible to keep their
customers data safe.  But, Windows is no Linux.  Remote access to the
data is what most people talk about when they talk about security of one
OS over another.

You can drive yourself crazy trying to look for every little hole in
security.  Use some common sense, and you will generally be ok:

  - Keep servers in a physically secure location
  - If you don't need a service, don't run it
  - Use chrooting and process separation techniques when available
  - If data is highly sensitive (ss numbs), encrypt it
  - Keep your server patched
  - Don't let your server run more than one version behind current
  - If data security is important, buy all that is good and wholly, put
    it on a Linux server!

if your data is highly sensitive (trade secrets, social security
numbers, credit card data, etc), not only encrypt, but also implement
intrusion detection tools like snort.

Follow these rules, and you will generally not have any problems.


Kevin Fries
Senior Linux Engineer
Computer and Communications Technologies, Inc
a Division of Japan Communications, Inc


On Tue, 2007-09-25 at 14:07 -0600, Neal McBurnett wrote:
> A clear definition of "security" is important here.  It varies for
> every situation, but often, _availability_ of your computer and files
> is very important.  So my response is that for both default linux and
> windows, the availability of recovery mechanisms when you forget your
> password is a security feature.  Besides that convenient init trick,
> booting from a CD is often very useful.
> 
> Of course, if you are really really worried about the risk that
> someone who can physically access your computer might steal your hard
> disk or whole computer and read the files, then you want an encrypting
> filesystem, and there are options like that also.  But you risk losing
> it all if you forget a password or don't have a USB key or whatever.
> 
> So linux is very secure, you just have to configure it to your liking.
> 
> Neal McBurnett                 http://mcburnett.org/neal/
> 
> On Tue, Sep 25, 2007 at 01:52:19PM -0600, telecon at infosyndicate.net wrote:
> > On Tue, Sep 25, 2007 at 01:18:24PM -0600, phillip tribble wrote:
> > > How secure is linux when you can recover a password like this?
> > > 
> > 
> > How secure is your linux box when someone can walk away with it.
> > 
> > That is essentially what you just asked.
> > 
> > Most *nix can be recovered that way, or someway remarkably close.  if you have physical access.
>

More information about the Ubuntu-us-co mailing list