OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [lids] Re: Secure Linux Distro (fwd)
From: Christophe Long - System Administrator (christophe.longwebmotion.net)
Date: Wed Apr 26 2000 - 15:54:32 CDT

On Wed, 26 Apr 2000, Crispin Cowan wrote:

>
> I stopped following LIDS development because the LIDS design seemed like a bad
> idea; the console-only mode is too limiting for many applications. It still
> seems like a bad idea; "make non-console disabling a config option" is just a
> different bad idea, giving you a choice between the frying pan and the fire.

Well, it's your opinion, and I understand your point of view , but here
again , you only see a small part of lids's features.
 
>
> > > you have relaxed LIDS to allow network disabling, then that eases the
> > > practical restriction on use of LIDS, but creates a significant security
> > > vulnerability. Please elaborate on the authentication scheme for
> > > disabling LIDS, as that is the system's cornerstone.
> > I think the discussion will be interesting as soon as you have read a bit
> > the documentations and / or the website even if not all of this are up to
> > date.
>
> No, I will not invest more effort investigating LIDS details until you explain
> how you authenticate someone who asks to disable LIDS. This issue is
> fundamental to your design, and needs to be addressed *prominently*, not
> hidden away behind excuses like "read all the documentation or we won't talk
> to you."
>
> Crispin

Excuse me, but I'm always surprised by people who want to make security
and never read documentations, after , they cry because of a hole in their
systems, holes which could be closed by a simply configuration , but for
that documentations must have been read.

Lids doesn't resume to an authentification. It's first of all an idea,
a design. There are many ways to authenticate an entity and serious
research on that topic, so the one existing in lids can be easily changed.

The problem here is most the attitude of guy who doesn't do the minimal
effort before asking a question . I'm always glad to answer questions even
the simpliest as soon as I have the impression the guy has tried to
understand.

For your information lids use a password , double crypted ( let's have a
look on various documentations before asking why, there is a good reason )
stored in the kernel code.

And yes it's, I think, enough secure. I hope to be able to provide you
soon a root account on a machine, for you and others, and test the
security of lids.

A last point, Webmotion contribute to the lids project by providing 15
hours a week a programmer , Philippe Biondi, to try to enhanced lids, and
to make the project go ahead. But it's not a commercial product and your
attitude is really unfriendly. Every people here try to make his best and
we aren't your slave, on wich planet do you live ?if each time a new guy
is interested by the project comes here, and ask questions without reading
anything I think the project will certainly slow down.

RTFM is still, the good answer , in this case.

Regards,

Christophe 

--
Christophe Long
Director, Systems Administration
Webmotion Inc.
http://www.webmotion.com
mailto:christophe.longwebmotion.com
Phone (613) 731-4046
Fax. (613) 260-9545