[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security Plan



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 5 Dec 1999, Roger R Dingledine wrote:

> > This is a plan I've worked up to improve Indy's security. Comments are
> > more than welcome.
> 
> Be sure to check out the bastille-linux project.
> 
> http://www.bastille-linux.org/
> They've got a hardening script that they're generating for (i believe)
> RH 6.1. Is progressing nicely.

I've just checked out the web page, and it sounds as though it could be
what we want. Also, as it come in a script form, I'd imagine that it
wouldn't be too hard to integrate into indy. I've not had a chance to try
it yet, anyone had any experience with it?
  
> > - - Suggest against use of telnet, include ssh.
>  
> what is the proposed way of installing this thing? if you do a network
> install off belegost, then you need to get your ssh rpm's from elsewhere,
> which complicates things...
> 
> tho hey, i don't mind making a statement about us law and just exporting
> them. but that's something we should consider more carefully before doing.

Would it still be illegal to export it if had was an imported copy? i.e.
say I download a copy I can legally obtain, I then upload it to the ftp
site (import it), it is a non US version, freely avaliable outside the US,
would there still be US export regulations on it?

I've no objections to breaking stupid useless laws, but we would need to
think about indy before doing so. It's my opinion that including ssh
illegally would potentially do more harm than good.
 
> > - - Promote use of GPG/encryption software, include intergration for all
> > mail readers, if possible.
> 
> is pgp deprecated in favor of gpg in all cases now?

gpg isn't subject to the same export restrictions pgp is, is it? GPG is
more in the spirit of linux software, all in all I can't think of a reason
why not.

 > > After talking to Jericho (Brian Martin), he thinks that this should rule
> > out over 95% of the attack possibilities.
> 
> As an MIT network security consultant, this statement triggers my bullshit
> detector. Please don't say it for official Independence publicity. :)

I don't plan on making any official statements on behalf of indy, but it
does seem to me that they would greatly reduce the number of holes, maybe 
not by 95%, but certainly the majority. I'm no security expert (I just
play one at weekends ;), so I can be sure.

David
- --		   ,------------------------------,
,==================| S H U N  A N T I O N L I N E |=================,
| David M. Webster '------------------------------' (aka cogNiTioN) |
|===| I use Linux everyday to up my productivity - so up yours! |===|
|=================|-| PGP KeyID: 0x 45 FA C2 83 |-|=================|
| <cognition@bigfoot.com> |-|===========|-| http://www.cognite.net/ |
`===========| I walk to the beat of a different drummer |==========='

-----BEGIN PGP SIGNATURE-----
Comment: David Webster (aka cogNiTioN) <http://www.cognite.net/>

iD8DBQE4b6DHDdLNO0X6woMRAmMtAKD2lBpSJne5TlUVi6yfwx4Ghh6ksgCgyT8o
0DyCUSnAEEPANay/HFbKjVE=
=k4Ot
-----END PGP SIGNATURE-----