[ale] Sunday 05-22-05 6PM RUN-AS-ROOT CHALLENGE

Jonathan Rickman jrickman at gmail.com
Thu May 19 15:59:25 EDT 2005


On 5/19/05, ChangingLINKS.com <groups at changinglinks.com> wrote:

> I am not putting myself out to be that knowledgable. I hire people that are.
> Moreover, you are not willing to go to the extent (that I am) to prove YOUR
> box is secure. If your box is secure, you will be able to substitute YOUR BOX
> for mine in the challenge (using the same rules I have set forth).

You are "putting yourself out" to be a friggin' idiot, to be blunt about it. 

Protecting the root account and it's associated privileges is about
85% of the goal of Unix (and consequently Linux) security best
practices. By offering up the root account right off the bat, you have
failed to prove anything other than that you have (or at least believe
you have) a sound backup and recovery plan. The minute you give out
the root password you have, by default, failed any reasonable test of
security. Now for the sake of discussion, and keeping Jimpop from
pointing out how ignorant I am for not factoring that in, I am taking
for granted that you do not have SELinux or some other modification to
the standard security architecture in place. Barring that, when you
give out the root password and permit a remote user to log in you have
just given up all system security for the duration of the session.
This apparently is very clear to you since you have stipulated that
you will remove all personal information from the machine prior to the
disclosure of the password. The fact that you can restore a backup is
irrelevant. I can restore a backup too. This is not a revolutionary
concept.

You seem to be redefining terms to suit your purposes. Security means
what it means, not what you choose it to mean. I'll point you to this
wiki entry for a pretty clear definition:
http://en.wikipedia.org/wiki/Security_(computers)

Now, continue with your diatribe...it is proving to be a great source
of entertainment for myself and my colleagues.

--
Jonathan



More information about the Ale mailing list