[vox] password stolen at linuxworld

ME vox@lists.lugod.org
Tue, 12 Aug 2003 02:08:13 -0700 (PDT)


Specific comments below...

Adam Carlson said:
> Yeah it usuallyl comes down to theory vs. implementation.  Books on
> theory usually have a longer life span, but don't tell you much about
> how to protect your computer using the latest and greatest firewall
> rules.  Books on implementation will tell you how to protect yourself
> using today's tools, but go out of style faster than the latest and
> greatest reality show.  In security I think that's kinda the nature of
> the beast unfortunately.  One outdated book I would recommend checking
> out is "Securing and Optimizing Linux" which can be found here(legally I
> hope):
>
> http://www.mc.man.ac.uk/LDP/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/

Kewl. In print and online? Wow. :-)

> It's outdated, but I really liked it because a lot of the time it would
> not only tell you what you should change to secure your system, but why
> you should change it and what's at risk if you don't.

Another is/was "Practical Internet Security" (Oreilly and Associates)
A bit old too...

>  There's also
> complete pdf of the book floating around out there somewhere if you
> don't mind searching.
>
> I'm actually a student in the graduate security program at Davis so if
> anyone has any questions about the program feel free to ask.  I'm sure
> there are many people on this list who know much more about linux
> security and security in general than me, but I'd be happy to answer any
> questions about the program itself.  I think in general many people
> would be suprised by how little practical security knowledge you
> actually get in the graduate program here.  Most of what your taught is
> theory and any practical knowledge gained will be picked up in research
> or projects of your own choosing.  I'm really not sure if this is
> typical of departments everywhere, but the longer I'm here, the more I
> believe that we are the rule rather than the exception, atleast among
> research institutions.  -Adam

Very cool! I am interested in opinions of professors and students on
courses, classes, structure, and general work. Information on your reviews
of your first few years of the program, what seemed to work for you, and
what did not. Insight to focus, motivation, and direction of professors
and willingness for cooperative education among fellow students (vs.
competition to the point of fellows sabatoging each others' work due to
grading structure.)

Also, any kinds of favored authors, trends, sample projects and research
being conducted (topic-wise) by professors, students and teams would be
useful.

If you are worried about privacy, I might be able to make a meeting at
LUGOD to work out a key exchange-- or, if you can exchange keys with Pete
I think that would be sufficient for a one-hope jump to retain a distance
in the web of trust to allow importation of keys without signing each
other's keys

ME: (Mike Egan)
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x074A81E6

Feel free to mail responses on or off list, with gpg encryption/sigs or not.


> ME wrote:
>
>>A book?! :-o Heh. My fu is not that strong. Maybe when I am in the later
>>stages of an advanced degree?
>>
>>One thing to point out with computer security and books:
>>
>>You will often not find books that speak of popular issues in computer
>>security, which remain popular for very long. Obselesence in the computer
>>security world (exploit, measure, counter measure, counter-counter
>>measure) is a moving target. By the time such a book is written, it is
>>obsolete. :-/  (Such books are equitable to fad-based fiction that are
>>here today, popular for a while, and then later viewed with a
>>chronocentric perspective with statements like, "what was he/she
>>thinking?!"
>>
>>Better books in computer security have been written. They often take a
>>general approach. Such books are more like text-books. These books do not
>>cover specifics so much as they cover fundamentals. These books permit
>> the
>>reader(s) to apply the fundamentals to their specific problem(s). Since
>>many of these books  presently provide adequate to excellent computer
>>security information, it would be difficult to try to write YAB in this
>>area. (Think that whole, "ground of contention," thing as discussed in
>> the
>>AoW.)
>>
>>These kinds of things are best offered in seminar, presentation, or
>>dated-courses. Sometimes such work can be presented in white-papers
>> online
>>so that the content can remain nearly as dynamic as changes in focus in
>>computer security, but vigilance is required.
>>
>>Counter to all of the above... If such a book were written, I would
>>probably read it when it was new. (heh heh)
>>
>>-ME
>>
>>
>>John Mark Walker said:
>>
>>
>>>Speaking as the resident publisher on this list, I smell a book. Anybody
>>>interested? Such as the person I'm responding to? :@)
>>>
>>>-JM
>>>
>>>On Sunday 10 August 2003 12:48, ME wrote:
>>>
>>>
>>>>Heh. :-)
>>>>
>>>>I plan to eventually do a 2 or 3 part talk for NBLUG on System
>>>> Security,
>>>>but I need to finish my degree first. (?Maybe 2005?)
>>>>
>>>>Of course there are some problems:
>>>>#1: I sold my car to fund going back to school to finish my degree
>>>>#2: I am working and going to school full time, and don't have much
>>>> time
>>>>#3: I will be applying to grad school around this time
>>>>
>>>>I am looking at a few schools so far. If one of the schools is Davis, I
>>>>might be moving out there. (BTW, LUGOD is one of the bigger
>>>>non-university
>>>>reasons for including UC Davis at such an important point on my list.
>>>>
>>>>Knowing that I may never get around to do this, if I eventually did it,
>>>>this is what I might do:
>>>>
>>>>* Network Security    : Sniffers, Protocols, Services
>>>>* System Security     : Local access and priv escalation, hiding data,
>>>>                         kernel patches (their costs and benefits)
>>>>* Progamming security : How to write code to avoid race conditions,
>>>>buffer
>>>>                         over-runs, and bad assumptions
>>>>
>>>>What I would like to do is take a "stock Linux install" and then
>>>>demonstrate how users might gain access to stuff they should not. Then
>>>>show counter-measures, and then counter-counter mesasures etc. (Meant
>>>> to
>>>>show that security is an on-going issue, and to show "making something
>>>>secure" is a *limit* that we try to achieve, but not something we can
>>>>truely achieve.)
>>>>
>>>>I figure three 1.5 hour presentations could provide enough of the
>>>> basics
>>>>to help people start adding more security to their systems.
>>>>
>>>>What the presentation would not be:
>>>>* A "how to secure *your* system. (general "your".)
>>>>* A demonstration of system hacking (only a few samples of cracking;
>>>>    the "hacking" takes much more time with analysis and review.)
>>>>* A "see-all, do all, and end-all" to what is secure and what is not.
>>>>
>>>>It would be more like, "These are some things you should really pay
>>>>attention to" but that does not mean "anything else is not important."
>>>>
>>>>Who knows? Maybe I might become a local member to LUGOD some day... :-)
>>>>(I welcome any introductions to professors or students in the Advanced
>>>>degree programs for CS at Davis. I'd like to learn more about what
>>>>people
>>>>think about it.)
>>>>
>>>>-ME
>>>>
>>>>Bill Kendrick said:
>>>>
>>>>
>>>>>On Sun, Aug 10, 2003 at 08:48:46AM -0700, ME wrote:
>>>>>
>>>>>
>>>>>>On some of my servers, I setup a special web page that was available
>>>>>>
>>>>>>
>>>>via
>>>>
>>>>
>>>>>>htaccess authenticated https that permitted me to open up a hole in
>>>>>>
>>>>>>
>>>>the
>>>>
>>>>
>>>>>>firewall rules for the IP address from which I was connecting.
>>>>>>
>>>>>>
>>>>>Mike... I smell a talk. ;)  Wanna do one at LUGOD on stuff like this?
>>>>>
>>>>>
>>>>_______________________________________________
>>>>vox mailing list
>>>>vox@lists.lugod.org
>>>>http://lists.lugod.org/mailman/listinfo/vox
>>>>
>>>>
>>>--
>>>John Mark Walker	:	No Starch Press
>>>Acquisitions Editor	:	415-863-9900
>>>_______________________________________________
>>>vox mailing list
>>>vox@lists.lugod.org
>>>http://lists.lugod.org/mailman/listinfo/vox
>>>
>>>
>>>
>>>
>>
>>_______________________________________________
>>vox mailing list
>>vox@lists.lugod.org
>>http://lists.lugod.org/mailman/listinfo/vox
>>
>>
>>
>
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
>
>