Kurt Seifried of SecurityPortal.com
by Renato Murilo Langona
Kurt Seifried, author of Linux Administrator's Security Guide (LASG) is working in Linux Administration
for more than 6 years and is now working at SecurityPortal.com, a great security resource portal...
(LinuxSecurity Brasil)How and when was your first touch with security ? Why did you fall in
love for that? :-)
I got my first computer for Xmas quite some time ago (I think I was 16), and
loved it, ended up getting another computer a few months later and a second
phone line shortly after the modem. I tried Linux shortly after, at that
point I realized this is what I enjoyed doing (and there was no heavy
lifting involved). Over the years I tried programming, but I didn't really
enjoy that (my attention span is to short), I also tried system/network
administration and while I was ok at it I didn't really enjoy it. A few
years ago I was looking for Linux security documentation, and couldn't find
any online or in books. That was when I started writing the LASG, which
steadily spiraled out of control (I think it ended up like 200+ pages long).
Then I got my current job with SecurityPortal and of course I started doing
it full time, over a year ago and haven't looked back since.
(LinuxSecurity Brasil)Kurt, how can you describe me the relation: Security and Open Source?
Bad and good. Savvy attackers (luckily there aren't to many) can easily find
problems by doing code audits, once an attack is publicly known though a fix
is usually quite quick. In theory open source means many people can do code
review, but very few people have this expertise, witness the PGP bug, or the
constant stream of security holes in Linux and *BSD. Security still is not a
_priority_ for most people, they'll choose ease of install/features/etc over
security, and vendors give them what they want.
(LinuxSecurity Brasil)Do you think today's security is more a matter of administration than
the systems and programs you choose ?
Security is a process, ongoing and never ends. If you choose shoddy software
that is prone to problems then administering it will be that much more
difficult. You need a solid foundation to build on, this is the OS and
related software. Once you have this you need to keep it up to date, modify
configuration info as needed and so forth. You are only as strong as the
weakest link in your entire security chain.
(LinuxSecurity Brasil)Do you think that the OpenPGP and PKI standards are incompatible as
some security specialists think?
I'm one of those freaks that thinks the current PKI ideas are pretty flawed.
They work fine for discreet organizations (like a corporation or school) but
will not work for an entire country. X.509 certificates can only be signed
by one entity, so you'd need one certificate for work, one for your
government ID, one for the country club, and so on. PGP/GnuPG is a bit
better, you can have multiple signatures, but only Thawte is doing mass
signing (and not very much at that). You need to have some central form of
authority signing keys, which means those central keys need to be extremely
secure, and they need to expire periodically meaning more hassle. Of course
the whole certificate revocation thing is it's own mess and not very good
yet. I think we have a very long way to go on this issue yet.
(LinuxSecurity Brasil)If you could change the mind of any single system administrator in
the world, what would be your first change?
Uhmmm. I think a better thing would be to change the mind of managers, make
security a priority, give your people enough time and budget to do it
properly. Ditto for consumers.
(LinuxSecurity Brasil)Could you point us some great resources of security related material
you access daily ?
www.securityportal.com of course =)
/usr/(share)/doc/ - excellent reference
www.securityfocus.com - Bugtraq
(LinuxSecurity Brasil)What's your HOME operation system of choice, why ?
Win98 for desktop and laptop, Linux for file and mail server, NT server
formerly for FrontPage/auth (now decommissioned), OpenBSD (security
logging/testing), Solaris 8 and Novell 5 (moving auth to it). Basically
whichever tool is best for the job, I hate all OS's equally, they all have
their good and bad points.
(LinuxSecurity Brasil)Can you tell me 1 thing any system administrator's should do on a
daily basis for better security of their systems ?
Education. Never stop learning. Read websites, books, email lists, etc. Set
aside some time each day to learn something. I spend 10-40 hours a week
doing research and learning new things.
(LinuxSecurity Brasil)Do you believe obscurity when added to security can, somehow, improve
a server' security scheme ? why?
Sort of. For a very short while, but once found it's completely useless. I
certainly wouldn't rely on it. The best kind of security is the type an
attacker can look at in detail, analyze, and still not defeat. For example
door locks can easily be purchased by a burglar and examined, but a really
good lock will still defeat all but the most skilled attacker.
(LinuxSecurity Brasil)Have you ever been to Brazil? In front of a lot of complains and
reports of incidents coming from here, mainly from government machines,what suggestion would
you give to our authorities for better security in that aspect?
I'm not sure. Passing computer laws to punish attackers only works for
attackers within the country, passing laws to make organizations responsible
for their computer security punishes the "victims". Governments can however
sponsor OpenSource software projects, for example the German government gave
the GnuPG people DM250,000. The government can mandate the use of secure
software for it's operations, this would encourage vendors to offer such
solutions, and make it easier for businesses/etc to buy them.
(LinuxSecurity Brasil)In your opinion, what should be the starting point of any new system
administrator wanting to be a security officer/specialist?
Get education and training, paid for by your employer if possible =). Books
like "the process of network security" are a good start to. As far as online
education goes SecurityPortal has started InfoSecU
(LinuxSecurity Brasil)Which are the real benefits of IPv6 ? Is it coming to cure all IPv4
weakness ? Will people be less concerned about their privacy?
Smaller routing tables (hopefully). Privacy wise IPv6 is not better then
IPv4, in some ways possibly worse since the last part of your IPv6 address
can be your MAC address, although this is optional. IPSec protects privacy
between machines, to a degree, but it will be a long time before it is
widely implemented (we need infrastructure like DNSSEC first).
(LinuxSecurity Brasil)Finally, Could you point me Open Source tools you would never
dispense when working with security ?
OpenSSH, nmap, nessus, snort, arachnids, ITS4,...