|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Bigger doesn't imply better. Bigger often is a sign of obesity, of lost control, of overcomplexity, of cancerous cells
Beta version 0.7; May 17, 1998
by Simson Garfinkel, Gene Spafford
The authors compile a vast amount of available material on UNIX security into quite a readable volume written in a very good (for an introductory book) style. The emphasis is on understanding areas in which security is compromised, but some general information about UNIX is also provided. After the map of such areas is constructed one can do own research. The list of the "support stuff" is really impressive and includes Dan Farmer and Wietse Venema (the latter reviewed chapter on wrappers).
The book is very good in providing history of UNIX in general and particular subsystem. For example it is one of the few books I read, that provides some information on Multix (p.9) as a predecessor of UNIX. Most just mention this fact.
Although almost all information from the book (and much more) is available on the WEB and conference proceedings, it would take some time to get it and systemize the way the authors did. There are summaries after each chapter -- a plus for an introductory book. The book covers a large number of topics, although some of them are slightly remote from the subject (computer crime law, physical security, personnel security, etc.). As an introductory book it is fairy good in providing some basic UNIX system administration information.
The threats to a UNIX system used as a server in the commercial environment vary greatly in terms of intent, sophistication, technical means, and potential impact. In order of diminishing probability threats can be categorized into the following groups:
Based on validated incidents the first three category are most common, while the last three are getting most media coverage.
Chapters are very uneven. Generally they can be read in any order. I would like to recommend to read chapter 4 (Users, Groups. and the Superuser), chapter 5 (The UNIX filesystem), chapter 6 (defending Your Accounts), chapter 7 (TCP/IP services), chapter8 (Defending Your Accounts), chapter 10 (Auditing and Logging) chapter 20 (NFS Security) and chapter 23 (Wrappers and Proxies). They contain useful material and can serve as a good starting point for collecting additional information on the Net.
I see the following shortcomings in the second edition:
Other interesting "revelation" in on page XV "... But the truth is, UNIX hasn't became significantly more secure with its increase in popularity, That's because fundamental flaws still remain in the interaction of the operating system and its users. The UNIX Superuser remains a single point of attack: any intruder or insider who can became the UNIX Superuser can take over the system, booby-trap its program...".
Simple question. What if UNIX is installed on CD -- they are really cheap now and one can make a new version each day ;-). How much damage to programs on CD can this evil Superuser inflict ? One does not even need CD. Just SCSI disk with read-only switch can help. Probably even BSD immutable attributes can be enough in most situations.
OK, let's assume that Unix is insecure, but what alternative is better. NT? I doubt, and authors need facts to prove that. NT is a very complex and controversial (driver model, Win32 subsystem, etc.) operating system. The behavior of the NT security system in such a complex environment is difficult to predict -- with BackOffice installed it looks like another "Alice's Adventures in Wonderland" story. Service packs break applications, and vice versa. If is always a mystery what version of DLL is installed, because each application can update them during installation. The system registry is an excellent illustration of the idea that the hell is paved with good intentions ;-). MVS? VM/CMS? VMS ? They all have problems. I am not a big UNIX specialist, but I know that Unix is much more dynamic in this respect that other OSes. Several new features that improve UNIX security were introduced in recent years. Among them pluggable password security modules that prevent user from selecting weak passwords, new configuration errors checking tools (Solaris now have one built-in), access control lists, new attributes (immutable and append only -- for sequentially written logs; on BSD once set, these flags can be reset only in a single-user mode), better protection against some attacks (for example FreeBSD 2.2.6. contains protection against various buffer overruns and "LAND attacks").
I was really surprised to read the "The many faces of 'Free Unix'" on page XXIV. It contains another "revelation" as "The Linux operating system makes things even more complicated. That's because Linux is an anarchic, moving target. There are many different versions of Linux. Some have minor differences, such as the installation of a patch or two. Other are drastically different, with different kernels, different driver software, and radically different security models". After reading about "radically different security models" and stances like "Today, the world of free Unix is a maelstrom. It's like if commercial UNIX was being promoted and developed by several thousand different vendors" I was ready to recycle the book. I beleave SUN does not need such advocates ;-). If they refer to MKLinux this is not fare. If they refer to x86 Linux this in simply wrong. IMHO official patches of the kernel are common for all x86 Linux distributions (this is the nature of Linux project -- kernel code is controlled by Linus Torvalds and he is the final authority that approved patches to the kernel, see for example his letter on the latest patch-2.0.33 ) and all versions of Linux come with GNU utilities which are more crash-resistant than implementations of commercial vendors. See for example:
The most important problem is that the authors do not explain what tools to use and how to use them and what are reasonable priorities in UNIX security. For example they do mention that most of security problems are configuration problems, but only in passing. IMHO this should be the central theme of the book. I was unable to find The most difficult issue in UNIX security is to avoid introducing arbitrary and often unnecessary measures(for example "password fascism") that makes users less productive without influencing (or even making it worse) an overall security.
The book does not have Web page with updated WEB resources, but this is a minor fault as COAST archive can be used instead (there is a standard page on O'Reilly WEB site, it should be probably ignored). I would like to recommend course notes to the course LT 468 -- Internet and System Security, Dept. of Computer Sciences, Purdue University.
There are also some minor points. For example they consider UUCP not suitable for 14.4Kb or faster lines, which is not true. In Europe it is widely used (Taylor UUCP is probably the most common type of Internet connection in xUSSR and works well at 14.4Kb or faster lines). There is no "Recommended Supplementary Reading" information after each chapter.
The main question that needs to be answered is how well the book fare in comparison with RFCs and other materials freely available on the Net. The answer is that it is a useful starting point and contains basic information on a lot of aspects of UNIX security. One can get almost all information from the WEB, but with additional efforts.
The second question is how well the book fairs among other similar book. I would like to say that it is above average as for UNIX security (compare with Unix System Security by David A. Curry) and below average as for Internet/Web security.
Alternatives include combining one book on Unix security with a book on Internet security. I would reccomend the following book on Unix seciruty:
Unix System Security: A Guide for Users and System Administrators (Addison-Wesley Professional Computing Series) by David A. Curry. See also Improving the Security of Your UNIX System The "SRI Paper" that has been widely distributed around the Internet. It was written in 1990 and was a predecessor to the UNIX System Security book. David A. Curry is the author of UNIX Systems Programming for SVR4 and is also active tool developer (see his home page for the complete list). Among them are(description are borrowed from the author's page):
As for Internet Security I would like to recommend:
Generally there are now a lot of comprehensive books on Internet/Web Security. Often books written by a specialist in a particular protocol can be a better deal that the book from security professionals (paraphrasing old saying about teaching one can say that "those who can -- write programs, those who cannot go to system administration and those who neither can write program nor perform system administration write books about computer security" :-). For example TCP/IP Network Administration by Craig Hunt contains a lot more information about how properly configure TCP/IP than PUIS and in Chapter 12 has a very decent overview of security in just 40 pages.
IMHO the book is best suited to the users with little or no programming experience (students, hobbyists, probably IS managers, etc.) and a limited exposure to UNIX. It is not the best book for professional UNIX system administrators, but still it's a well-written introductory book. IMHO to pretend that this is a professional reference was a major mistake made by the authors. All in all I would like to mark it with 7 on 10 grade scale.
Examples are available via FTP ftp.ora
Simson Garfinkel of The UNIX-Haters Handbook fame is a gifted journalist, columnist at WIRED Magazine. He recently created own his own ISP company(see www.www.vineyard.net) that in April, 1998 has approximately a hundred customers. So now he probably has some experience "from the trenches" unless due to his "unix_hatism" he use NT (see for example his "unix_hatist" essay The Fundamental Flaws of Unix -- the essay that surprisingly superficial and lucks understanding of current trends in UNIX architecture -- cornerstone of any such explore). Currently he is a a freelance technology writer working mainly in Wired. Some years ago he was an editor at SunExpert magazine. He graduated from MIT in '87 then was a Ph.D. candidate at the Media Lab from 90-91. Now he is resident of a little island off Massachusetts -- Martha's Vineyard. It isn't as exciting as everyone thinks to live of such an island, however. They don't even have a mall, and it probably gets mighty boring in the winter ;-).
He is the author of several other books:
See also Amazon.com Author Interview -- Amazon.com talks to Simson L. Garfinkel. In this interview to amazon.com he told "...I think that the biggest issue facing our society today is the lack of rational design, peer review, and common sense that is going into technological systems.". This is of course true, but to a certain extent applied to his books ;-).
Eugene H. Spafford (Dept. of Computer Sciences, Purdue University) probably belong to the "computer security establishment". He is a professor of Computer Sciences (according to his vita since 1979 he has taught courses in OS, compiler and language design, computer security, computer architecture, software engineering, networking and data communications, and somewhat alarming ;-) on issues of ethics and professional responsibility), the founder and director of the Computer Operations, Audit, and Security Technology (COAST) Laboratory (that maintains the world's largest archive on computer security).
He seems published all his books with co-authors, most frequently with Simson Garfinkel. Some materials on his page are rather outdated (probably 1996) but it seems that till 1996 he lead Purdue Security Seminar -- semi-regular, informal seminar on issues of computer security and taught course CS 590T -- Penetration Analysis. His resume shows that he probably switched to mainly managerial duties connected with COAST approximately from 1993. An interesting project that he was involved was the Spyder Project concerned with research into new methods of debugging software. He was also participated in design of the current naming structure of Usenet. For 11 years, he updated the news.announce.newuser and posted them to the Usenet. In 1993, he retired from the task. Here is the collection of quotes that can probably give some insights into his personality. He also manage Web-head list. He definitely has a good sense of humor.
Somewhat alarming is the fact that he claims to be a co-author of a book on computer viruses (Eugene H. Spafford, Kathleen A. Heaphy, and D. J. Ferbrache; Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats; ADAPSO, Arlington, VA; 123 pages; 1989). I am generally very skeptical about people who ever wrote a book about computer viruses, especially if they have co-authors ;-). But while probably not an active fighter and definitely not an active writer (all books published with co-authors), Prof. Spafford seems to be an eminent collector of security-related information and his major achievement -- the COAST archive is really important.
Other reviews available:
GTER Vol. 4, Issue 4, May 1, 1997
DDJ December '94Practical Unix and Internet Security Second Edition -- review by Dan Wilder Linux Journal #34 Feb.1997
Table of Contents
I. Computer Security Basics
2. Policies and Guidelines
II. User Responsibilities
3. Users and Passwords
4. Users, Groups, and the Superuser
5. The UNIX Filesystem
III. System Security
8. Defending Your Accounts
9. Integrity Management
10. Auditing and Logging
11. Protecting Against Programmed Threats
12. Physical Security
13. Personnel Security
IV. Network and Internet Security
14. Telephone Security
16. TCP/IP Networks
17. TCP/IP Services
18. WWW Security
19. RPC, NIS, NIS+, and Kerberos
V. Advanced Topics
22. Wrappers and Proxies
23. Writing Secure SUID and Network Programs
VI. Handling Security Incidents
24. Discovering a Break-in
25. Denial of Service Attacks and Solutions
26. Computer Security and U.S. Law
27. Who Do You Trust?
App. A: UNIX Security Checklist
App. B: Important Files
App. C: UNIX Processes
App. D: Paper Sources
App. E: Electronic Resources
App. F: Organizations
App. G: Table of IP Services
Full Table of content
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: September 12, 2017