SEMiSLUG Notes

14 April 2005

Question & Answer Sessions

Whither the Smithees?

Stupid movies, stupid food! It's the same weekend as Penguicon, however.

Where are we meeting next month?

Otherside of the building. (BE-240)

Can't do sound with VMWare (Win95 client under Linux) -- any suggestions?

KDE typically steals the soundcard on start-up. Try fiddling with that and reboot. The best thing may be to get the Windows version of VMWare and run Linux under that -- many people have resorted to this, since VMWare seems to work better on Winboxen.

When you meet a professional spammer, what does one do?

Wash your hands.

"Gosh ... that's too bad." "Wow ... do you kids know?"

Ask them for their address?

Why does Comcast's DNS [expletive] suck?

Comcast just plain doesn't know how to do DNS.

Anyone buy an OQO?

Nope. Go see http://www.oqo.com/ for more info.

"Evil Carrots in Space" -- some scifi movie with infrered-eyed evil carrotoid beings. Anyone remember this?

Ask around at Penguicon -- that's where Wayne found his similar answery.

Parity software for CDs? (I.e. you want to write redundant data across CDs in case one is zorched.)

Something better than par2 would be nice.

10 Gigabit ethernet experiences?

It's a mess. Run away for the time being.


Presentation



"Open Source Security - The Search for a Manifesto" with Michael J. O'Connor

MJO is looking for ways to make security better; something that goes beyond
"code better" or "install all the patches."

(MJO is using PowerPoint -- be afraid.)

Top 10 Myths about Linux Distros and Security

10. We never respond when sent a security problem.

  • We do read BugTraq and friends, but you can't track everything.
  • >50% of what we receive is B.S.
  • SPAM, viruses, and you! (We get a lot of crap to our admin addresses) 9. We time advisoty releases to make your life miserable
  • vendor-sec: Open source, closed security
  • Consolidate, but beware
  • We can't relatiate to peers, or other "respectable members of the security community." 8. We coordinate directly with Linus/Theo/whoever.
  • Any sufficiently advanced OS is indistinguishable from a lawsuit.
  • We do work with the 2.4 and 2.2 maintainers, and 2.6 is on the way as it matures ... 7. We have lots of distro people working on security.
  • How many SuSE advisories do you see?
  • With 700 people and a $4.2 billion valution, how many dedicated security people does RedHat have? 6. We play nicely with CERT and other external organizations.
  • 15'll get you 20, hack4life, ISA
  • NTSCC - not so nice? You judge.
  • IDS and scanner vendors and do NOT talk with Unix vendors of any flavor. 5. Distros are against FULL DISCLOSURE.
  • Full disclosure is NOT Immediate Disclosure
  • Graduated Disclosure is BAD
  • #include <snmp-horror-story.h>
  • OIS, the organization for Internet Safety and beyond
  • What does disclosure really mean with open source 4. It's easy for the distros ... the community does all the work!
  • How many open source apps have a public disclosure policy?
  • Or a confidential way to connect to them for security issues?
  • Or security contacts for mirrors?
  • DHS and Vulnerability Disclosure: create a /security page today! 3. When vendor marketing says "security" this is "security" as your or I understand it
  • Remember C2/B1?
  • Common Criteria Evaluation -- SELinux and RedHat Enterprise 4
  • ??? [lost this one -- Gabe] 2. Customers are actually explicit in what thay want out of a patch.
  • "I just want a fix DAMMIT!"
  • <irony>No one ever wants _exactly_ what they are running now with _just_ a security fix.</irony>
  • Yes, people have good reason not to want to upgrade ... 1. Customers tell us security is their NUMBER 1 Priority.
  • The number 1 priority is: UPTIME (And some folks accept rebooting Windows every day. For now.) This is the state of security now ... or as of a few months ago when MJO first gave this talk elsewhere.
    Try to find out who the security contact is at sites you use. (Google, Freshmeat, Sourceforge, etc.) If they don't have a security contact, bug them until they do. Publish your disclosure policy. Publish your cooperation policy. There's a special Hell reserved for software with stupidly obscure version numbers. (2.3.8.43j.9 and so on) Put up a dated /security page. Maintain it. Implore people to bug you when you haven't updated the info for 3 months. We don't care if your security is no good -- just document it.

  • Rumor & Innuendo (No names, please)

    "Once you have eliminated the impossible, whatever remains, however improbable, must be the truth." -- Sherlock Holmes (Ask MJO about this.)


    [ Return to the SEMiSLUG minutes page ]