Re: Is this mail list dead?

Re: Is this mail list dead?

[Tracy R Reed]

On Mon, Mar 12, 2001 at 03:17:28PM -0800, Crispin Cowan wrote:
> It still seems to function, but the particpants no longer seem
> interested in the charger.  It was supposed to be for cross-distro
> discussion of issues perinant to security-oriented Linux distributions.
> Since the list was founded, some of those distros have died, and the new
> ones to come along (e.g. SELinux) don't seem to have joined.

Unfortunately, not many distros seem interested in security in general.
It's giving Linux a bad name.

I've cc'd the selinux guys on this as an invite for some of them to join
the list.

-- 
Tracy Reed      http://www.ultraviolet.org

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is this mail list dead?

[Chris]

Tracy R Reed wrote:
> 
> On Mon, Mar 12, 2001 at 03:17:28PM -0800, Crispin Cowan wrote:
> > It still seems to function, but the particpants no longer seem
> > interested in the charger.  It was supposed to be for cross-distro
> > discussion of issues perinant to security-oriented Linux distributions.
> > Since the list was founded, some of those distros have died, and the new
> > ones to come along (e.g. SELinux) don't seem to have joined.
> 
> Unfortunately, not many distros seem interested in security in general.
> It's giving Linux a bad name.
> 
> I've cc'd the selinux guys on this as an invite for some of them to join
> the list.
> 
> --
> Tracy Reed      http://www.ultraviolet.org

There are still some people reading and monitoring.  I am
just one who is interested in learning and have not had
anything to add.

kegwasher

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is this mail list dead?

[Pedro Rosa]

Chris wrote:

> Tracy R Reed wrote:
> 
>> On Mon, Mar 12, 2001 at 03:17:28PM -0800, Crispin Cowan wrote:
>> 
>>> It still seems to function, but the particpants no longer seem
>>> interested in the charger.  It was supposed to be for cross-distro
>>> discussion of issues perinant to security-oriented Linux distributions.
>>> Since the list was founded, some of those distros have died, and the new
>>> ones to come along (e.g. SELinux) don't seem to have joined.
>> 
>> Unfortunately, not many distros seem interested in security in general.
>> It's giving Linux a bad name.
> 
Frankly I consider that this is not a problem of Linux by itself.  
Distros are mostly a concept and a philosophy of use. And they try to be 
as broad as they can. However security is a specific and very particular 
task. One may try a few general ideas and produce a "secure" distro. But 
that cannot go far from a pilot test and no matter the way you cover the 
security problems you must consider it as a private and particular matter...

I would say that securing Linux in a distro structure would be the same 
as forcing C2 to every Windows install.... Yeah try to use such an 
install...

>> 
>> 
>> I've cc'd the selinux guys on this as an invite for some of them to join
>> the list.
>> 
>> --
>> Tracy Reed      http://www.ultraviolet.org
> 
> 
> There are still some people reading and monitoring.  I am
> just one who is interested in learning and have not had
> anything to add.

Yeap... But maybe people are waiting from the wrong side. Maybe the 
discussion should start in other way. Not about the distro but about 
such things as sfs, LIDS, SSH and similars. Not about creating a secure 
distro but speaking about security methods and approaches. Then it is 
probable that these lists get alive... Really I have seen lots of talks 
about this BS carrying the name of "secure linux". There cannot be such 
a thing in Nature, no matter the dreams of millions to see Linux 
overcome Redmond's MazDie (well,  I also do have dreams about it). One 
thing that made me subscribe to selinux was the fact that NSA seems to 
approach the matter in the correct view. As they say (please correct me 
if not so) is the fact that selinux is just a pilot system. NOT a secure 
Linux distro. You may find approaches that may help you to secure your 
boxes or systems. But in the whole this system will barely be useful.

> 
> kegwasher
> 
> --
> You have received this message because you are subscribed to the selinux list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
> 
> 



--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is this mail list dead?

[Casey Schaufler]

Pedro Rosa wrote:

> I would say that securing Linux in a distro structure would be the same
> as forcing C2 to every Windows install.... Yeah try to use such an
> install...

Every commercial OS today has a C2 option. The lack
of a C2 version of Linux has been a serious inhibitor
to adoption in the marketplace. I would guess you're
refering to the first NT evaluation, which supported
no networking and no removable media. Building a C2
(CAPP in Common Criteria jargon) Linux distribution
is easier than getting corporate marketing types to
see the value. Say, I bet I know what You do!
 
-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey@sgi.com				voice: 650.933.1634
casey_p@pager.sgi.com			Pager: 888.220.0607

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is this mail list dead?

[Pedro Rosa]

Casey Schaufler wrote:

> Pedro Rosa wrote:
> 
>> I would say that securing Linux in a distro structure would be the same
>> as forcing C2 to every Windows install.... Yeah try to use such an
>> install...
> 
> 
> Every commercial OS today has a C2 option. The lack
> of a C2 version of Linux has been a serious inhibitor
> to adoption in the marketplace. I would guess you're
> refering to the first NT evaluation, which supported
> no networking and no removable media. Building a C2
> (CAPP in Common Criteria jargon) Linux distribution
> is easier than getting corporate marketing types to
> see the value. Say, I bet I know what You do!
>  


Well, first you may know that NT does not have C2 implemented from 
start. However its implementation is not an easy thing and it enters in 
conflict with many third-party programs. Even such things like Internet 
Explorer or MS Office cannot live under a C2 environment. However you 
may try a good effort to implement a middle solution, depending on your 
user's requirements and an evaluation of all security issues that come 
from easing the rules of the game.

You are right about the fact that Linux does not have a C2 
implementation. However is this thing needed? Frankly I had a moment 
where I needed a hard secured NT with C2 enforced to the maximum 
possible. Due to stability issues and a few serious security holes in 
the system, I had to drop out the project. Later, I  took Linux for a 
try in the same task. By taking the same requirements, I managed to 
produce a box quite near to the one I tried with NT. I should say I 
didn't follow C2 in this case, I just went for what was required to be 
secured and created a solution to manage it. Interesting to note that 
for nearly 1,5 year there was no break  in. This is not fully a virtue 
of the security implemented in the system (well the thing is quite 
weaker than C2) but it does not allow a break in in the first try.  

The lack of C2 on Linux sounds like a serious drawback. But how many 
commercial organisations do implement this thing? I wonder that even 
those who do really need it, barely realise that they have to seriously 
configure Windows for such task...

Anyway, I would defend the existence of C2. And I do think that things 
similar to C2 should be implemented on Linux (yes, it will be very hard 
to do this). But not as to give Linux a slogan "It's C2 certified!" but 
to answer particular requirements of users that do really need such 
stuff. Not everyone needs such certifications. and note that their 
implementation carries costs. Costs may be on performance (very high 
ones), flexibility and even stability. This last one may even turn a C2 
implementation into 0 as it was my case... A few system files broke 
after a crash, and the whole thing was completly accessible to anyone 
who just pressed "Enter" in the login.

Ektanoor


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

securedistros mailing list subscription info [was: Re: Is this mail list dead?]

[Martin Stricker]

Tracy R Reed wrote:
> 
> On Wed, Mar 14, 2001 at 12:44:53AM +0100, Martin Stricker wrote:
> > Would've been nice if you included subscribe info for
> > securedistros@nl.linux.org! *g* I'm waiting for it, I'm interested
> > in secure Linux distros (I'm just trying out SELinux).
> 
> Oops, I guess I should have included that. :) This should get you
> subscribed:
> 
> Just send the text "subscribe securedistros" to majordomo@nl.linux.org
> and you will be on your way.

It works, and now I'm subscribed. I'll put this through selinux list so
others can join as well.

Best regards,
Martin Stricker


--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.