[CentOS] Security advice, please

Warren Young warren at etr-usa.com
Fri Dec 26 21:43:04 UTC 2008


jkinz at kinz.org wrote:
> You are visiting the Otis Public Library in Norwich CT.  They have Linux
> based public workstations (w/Internet access). 
> (http://www.otislibrarynorwich.org/index.htm)

Do you trust the library, all of their employees, and every person who 
has ever used the computer you sit down at with the keys to your home? 
No?  Don't give them the keys to your home.

> Or you are a consultant visiting a corporate client who doesn't allow
> "outside equipment" to be used on their network, so they maintain
> specific machines for "guests" to use. (Hint, "DOD" )

Ditto.

Additionally, when using your employer's equipment, or your own 
equipment at on your employer's premises, the company is legally 
entitled to watch whatever you do, and demand that you provide keys so 
they can see through any encryption.  Don't trust your employer with the 
keys to your home?  Don't access your home system from work.

> example three - A TSA attendant "accidentally" drops your
> laptop.. in front of a forklift... (Merry Christmas!)

Life is hard.  You cannot plan for every eventuality.

> All your ideas are good ones to which I would add using port knocking
> (not perfect at all but adds an additional small barrier) 

Port knocking is just a type of key.  If you use this from a system you 
do not trust or where the owner of the system has a right to know all 
the keys used on it and you don't want that person to know the key, 
don't give the key to that system.

> Unfortunately, the worst case scenario ( a compromised machine
> that does key logging) which you pointed out, will always be a 
> potential problem.. 

This is more than just a potential hazard.  There are *millions* of 
zombies on the Internet now.  Since there are only about a billion PCs 
in active use in the world, this means the chances of you borrowing time 
on a computer that's zombified is maybe 1 in a hundred.  Would you get 
in a car if the chances of getting into an accident were 1:100?

The odds shift when you trust the security of the hardware.



More information about the CentOS mailing list