From UnderLinux Wiki

Elias Levy, or Aleph1 is the bugtraq moderator one of the most important security mailing list of the world. (c) Marcus J. Ranaum Elias Levy, or Aleph1 is the bugtraq moderator one of the most important security mailing list of the world.

UnderLinux: In a general focus what is more secure Gnu/Linux or OpenBSD ? Or other OS ?

Aleph1:' That is a pointless question without some context. For example, certainly the OpenBSD folks have done an incredible job creating a secure and stable operating system - an effort that should be emulated by others - but the application you are looking to run many not be supported under it. The most secure OS depends on your requirements.

Even with OpenBSD's success the UNIX security model is very simplistic. You can certainly write secure applications - see qmail and postfix for examples - but they require a lot of effort. Linux is interesting because the are so many groups exploring alternative security models: privileges, acls, subdomain, SELinux, etc.

NT had potential. It has an interesting security model, but the legacy code, insecure defaults, complexity, and lack of security savvy by application programmers used to the Windows and DOS world have left it with a rather bad track record.

You must also take into account how well the people administrating the system knows the technology. You can have the most secure OS but if its misconfigured it will be useless. Conversely, a good admin is capable to hardening a sloppy OS.

UnderLinux: One time surfing on the web I see this phrase : "Wanna defeat hackers..think like a hacker.. work like a security expert". What you think about this ?

Aleph1: A cliche, but a valid one. When creating defensive security technologies you must test them by attempting to defeat them before others do. Therefore you do not only require a defensive mindset but also an offensive one. Not only that but you must be better and more through than the ones you are defensing from. As a defender you must find and fix all possible avenues of attack. As an attacker you must only find and exploit one.

UnderLinux: Can you tell us something about the book Hackers Exposed ? Aleph1 : I believe you mean Hacking Exposed. Its a good book. I recommend it. It does a good job at describing the methodology of penetrations. Its a technical book that shows you how to use the tools available for the job. Sadly this means that is likely to become outdated after a while. Luckily the publisher seems to be doing a good job at keeping it up to date. A second edition is out. Nonetheless, the basic techniques it teaches are independent of specific technologies.

UnderLinux : Nowadays what kind of documents and programs cause you more expectative and interest ?

Aleph1:Those that make it difficult for people to shoot themselves in the foot. Security today is to fragile. Take for example buffer overflows. While we can place great efforts into teaching people how to avoid buffer overflows in languages such as C it is likely they will introduce them into their programs anyway. It makes more sense from a security perspective to replace the language with one that makes buffer overflows difficult.

Similarly I am interested in areas that help you encapsulate knowledge about computer security and help users do the right thing instead of letting them guess what is the right thing. For example, configuring a firewall correctly can be quite complicated and the are many nuances. We need to make it easier for folks to configure securely.

UnderLinux: Do you think that problems like spoofing and DDoS will be defeat in the next 10 years ? Can you preview any solution for this problems ?

Aleph1:I believe we'll find and deploy ways to mitigate them but not to do away with them. Denials of service and inherent in any finite system. The Internet architecture has made them even easier by its lack of authentication and resource allocation. In the future we'll have mechanism that make detecting and tracking network based denials of service easier. It's likely that some areas of the Internet will support resource allocation which will minimize some of the DoS effects.

UnderLinux: What suggestions you can give to whom that wanna be a security expert ?

Aleph1:Do a broad survey of the security landscape. They are many areas of interest out there. After you've gained a general understanding of the security world select an area you'd like to specialize in. Repeat ad infinitum. Bonus point of standing back after a while and trying to find ways to fit all the pieces together into a coherent and interoperable whole.

UnderLinux Team.