[techtalk] Security, experience, knowledge, etc.
Michelle Murrain
mpm at norwottuck.com
Sat May 12 13:39:26 EST 2001
I just got my mail after oh, 18 whole hours of being offline, and read the
threads on the single user boot thing, and whether it was a "feature" or a
"security hole."
There have already been eloquent answers in this thread, but one thing that
struck me is the issue of how security depends not only on the OSs inherent
capabilities, but also on the knowledge of the person who is the
administrator of the box in question.
Why in god's name would anyone think that a box should be secure from
anyone physically in the same room? Why is that important? If you don't want
people to get physical access to the box, lock it up in a different room or
something. What's the point in making it hard for true administrators to deal
with problems that arise, if you can just put a real lock on the server
room?? A *real* lock on the server room is way more protection than any OS
related security measure!!
But it is true that we are, unfortunately, at the mercy of our knowledge and
experience. I've been hacked, and it was because I didn't know what the f**k
I was doing. I'm better at it now, and know what to watch out for, and what
measures to use, but it took learning it the hard way.
Linda obviously thought that her server OS was "physically" secure, but finds
that, in fact, it's not.
In truth, there are TONS of "pass key[s] to your house" in UNIX, and,
probably more in any M$ OS, but at least in UNIX, lots of people know about
them, and even if it is new, there will be 25 people working on patches that
same day! The good thing is that we don't depend on one monolithic company
for security. Not only is Linux and BSD more secure by their very design, but
the fact that one company don't own them makes them even more secure, IMHO.
But the only way to really make sure your server is secure, sadly, is
knowledge.
Michelle
------------
Michelle Murrain, Ph.D.
President
Norwottuck Technology Resources
mpm at norwottuck.com
http://www.norwottuck.com
More information about the Techtalk
mailing list