Suicidal Linux

Presented at DEF CON 13 (2005), July 29, 2005, 1 p.m. (50 minutes).

I spend a lot of my time shooting at random targets. Last year I was on a Bluetooth holy war, trying to raise awareness of Bluetooth security (or lack therein). My talk at BH 04 was actually a two day experiment using Bluetooth to track attendees around the conference (code available from bluetooth.shmoo.com). While the technology was simple, the message needed to get out. Bluetooth enabled phones are dangerous and are flying under the security industry's radar screen. Fast forward a year, and the situation is much better. Bluetooth security is getting more and more coverage and research (www.trifinite.org is a great site for BT security issues), and people are (finally) getting scared. So I decided to shift gears into a bigger hornet's nest... The holy war of Operating System security. No, not the standard issue "OpenBSD is uber secure, Windows sucks" discussion. Rather, I've been focusing on the long term impact of each of these operating systems on the security of enterprise networks and the Internet as a whole. Any reasonable tech geek can be trained to lock down a host. Give them a checklist and some procedures and lock it down and *boom* a secure host. However, while that host may be secure today, what are the differences in long term security between the major operating systems. As it turns out, a lot of the long term security issues revolve around the development method used to develop the OS. Windows is designed as one big systems, and to some extent the BSD's are as well. But Linux... Linux is designed with duct tape in mind. Linux distros are held together with spit and tape, and the ramifications on security are dire. I've been gathering data from mail lists, looking at code, and talking to people running big systems in an attempt to figure out how bad things really are. I'm sure many of you will find this talk inflammatory, and that's a good thing. "Knowing is half the battle."... even if you don't want to hear it.

Presenters:

  • Bruce Potter / @gdead - the Shmoo Group   as Bruce Potter
    The Shmoo Group is a non-profit think-tank comprised of security professionals from around the world who donate their free time and energy to information security research and development. They get a kick out of sharing their ideas, code, and stickers at DefCon. Whether it's mercenary hacking for CTF teams, lock-picking, war-flying, or excessive drinking, TSG has become a friendly DefCon staple in recent years past. Visit www.shmoo.com for more info.

Links:

Similar Presentations: