Linux in the news
All in one big page
See also: last week's Security page.
News and editorialsThe last thing we wanted to do this week was to focus again on Distributed Denial of Service attacks. However, it remains true that the top security-related stories this week seem to be focusing in this area. So we'll attempt to give you access to a variety of the more interesting ones.
White House Internet Security Summit. President Clinton
took 90 minutes out of his schedule on February 15th to attend
this summit. Gene Spafford, from Purdue, was one of two academics
invited to attend and nicely sent out this detailed report. A nice look at the political process
in action, for once with people relatively behaving themselves.
He outlined 7 points made in the summit that no one seemed to
Wayne Madsen calls it media hype and planned Pentagon disinformation in this editorial. Note that Madsen considers himself an insider in the "spook" community, having served in the Navy, and worked in the National Security Agency, State Department, Computer Sciences Corporation, RCA, and more. "The hype associated with the recent Internet flooding is outrageous and serves the agendas of the military and intelligence communities regarding new vistas for bloated Pentagon and espionage budgets."
He makes some interesting points, but primarily serves to fuel the same media hype that he disparages so heavily. Oh, yes, the President's attendance at the above summit was another item that offended him horribly.
Cyber Vigilantes. The NUA KNOWLEDGE NEWS published this editorial in their free weekly email newsletter. Again, a bit inflammatory, but the point is interesting and might explain why the culprits in the recent DDOS cases have been so hard to track down. "Without government the choice is chaos or vigilantism. The current search for the hackers behind the major spate of website attacks is a mix of both. Scores of security firms are out looking for the culprits. Their driving objective has nothing to do with law and justice and everything to do with the hoped for PR announcement that their firm caught the nasty hacker. Members of these firms are posing as suspects and friends of suspects in online chat rooms and other areas, to the extent that 'suspects' are turning up all over the place at the same time confusing everybody."
Security ReportsThis week's open source-related security reports primarily came from the *BSD community, as luck would have it. They included:
UpdatesDebian update for GNU make. Here is the Debian advisory to go with the update to the GNU make package to which we already provided a pointer in this week's Security Summary. An immediate upgrade is recommended.
ResourcesLinuxSecurity.com debuts. LinuxSecurity.com has been announced. "Guardian Digital, Inc., an upstart Open Source security company and primary sponsor of LinuxSecurity.com, provides consulting, installation & support and computer security services to businesses looking to use the Linux Open Source operating system. LinuxSecurity.com is intended as a pro-Linux and Open Source site that strives to provide objective and helpful information for the general Linux and Open Source community."
ITS4. John Viega has announced the release of a source code security scanner, ITS4, under an open source license. "I've put together a command-line tool for statically scanning C and C++ source code for security vulnerabilities. The tool is called ITS4. ITS4 scans through source code for potentially dangerous function calls that are stored in a database. Anything that is in the database gets flagged. ITS4 tries to automate a lot of the grepping usually done by hand when performing security audits."
John is looking for assistance improving the database that ITS4 uses.
ISIC 0.05 (IP Stack Integrity Check). Mike Frantzen released a tool to stress test IP stacks, firewall rulesets, firewall resilience and IDS implementations. ISIC "crafts random packets and launches them. You can specify the percentage of packets to fragment, to have IP options, to have bad IP versions.... Just about every field can be automagically twiddled."
Lokkit, simple firewall generator. Lokkit is a new tool from Alan Cox that sets up a simple firewall for a dialup machine in response to answers to a simple set of questions. From the look of the screen shots, lokkits might be intended as part of the Red Hat install process at some point in the future.
Events1st International Hackers Conference in Israel. The 1st International Hackers Conference in Israel will be held March 28th-March 30th, 2000. "But in Israel, where hi-tech security startups mix up with lo-tech hackers community, where a new middle east is trying to emerge from many small anarchic pieces, this is the 1st International Hackers Convention."
Section Editor: Liz Coolbaugh
February 24, 2000
Secure Linux Projects Bastille Linux
Khaos Linux Secure Linux
Security List Archives
Firewall Wizards Archive
LinuxPPC Security Updates
Red Hat Errata
Yellow Dog Errata
Comp Sec News Daily
Linux Security Audit Project