linux security - Feb 1997 - Tiger team.

Hi,

I''m back. :-)

Alex and a few others have expressed concerns about the legal
implications of forming a tiger team. Maybe the term "tiger team"
doesn''t officially represent what we meant. But I don''t mind
redefining established terms if I feel like it :-)

What we here call a "tiger team" is a team of people that try to beat
the bad guys to finding security holes. To prevent the legal hassles,
you can only attempt an exploit on a system where you are explicitly
allowed to muck with security issues.

The main "plan of attack" is to

1) Create a few documents:
    "how to write a secure application".
    "How to verify an existing application".
2) Find all setuid applications and verify their security.
    Maybe we''ll come up with "junk XXXXmail, use Xmail"
(censored)
    Maybe we''ll end up with a secure XXXXmail (Nah...)
3) Find all programs that "root" uses, especially those run from
"cron"
   and verify wether they can be fooled into giving away their privileges.


I''ll try to get a majordomo server up and running in the next few days
on an easy to remember address. I''ll announce the address once
it''s up.

				Roger.

On Mon, 3 Feb 1997, Rogier Wolff wrote:
>
> Hi,
>
> I''m back. :-)
>
> Alex and a few others have expressed concerns about the legal
> implications of forming a tiger team. Maybe the term "tiger team"
> doesn''t officially represent what we meant. But I don''t
mind
> redefining established terms if I feel like it :-)
I of course would vote for Linux Urgent Security Team (LUST).

Seriously, I have been considering a Linux Security Howto for quite some
time now.  But in light of some of the recent events, I would think that a
Linux Security Manual in the tradition of the other Linux book type
publications would probably be necessary.

I have broached this idea before on the LDP author list, and the primary
objection was that there was enough Unix security books already available.
I think that it is time that one was written anyway.

I would consider such an endevor solo, but I would prefer at least ONE
co-author.  I beleive that I know quite a bit about Linux security, but I
would like some help.  I beleive that I am able to write a valuable book
about Linux security, although I don''t consider myself a complete
expert
on the subject.

Specifically, I would like to form a small team that would construct the
manual.  I would also like input from anyone that knows about Linux
specific attacks that are not well/or at all published (/proc system
attacts are of particular interest to me as I beleive that they are there,
but have seen none published).

I beleive that a guide that helps make Linux more secure would be good for
anyone.  I have been collecting various security information, exploits,
and general security tips for well over a year.

				Mike Jackson
				Linux Shadow Password Howto Author