Jay Beale: Education Is Primary Defense for Secure Machines
Rethinking default services under Linux
It was with no small amount of irony that Jay Beale, lead developer for Bastille Linux, was hired by MandrakeSoft last Fall to help the French Linux company bolster the security of its Linux-Mandrake distribution.
Now, after a few months in the employ of MandrakeSoft, Beale has some definite ideas about how he will be securing Linux-Mandrake and all of the other Linux distributions as well.
As he has said from day one, Beale's first set of priorities in his new job is to make Linux-Mandrake and the other MandrakeSoft product more secure. This does not mean he will be diverted from his work on Bastille. On the contrary, through the support of MandrakeSoft, Beale is getting more time and funding to work even more on Bastille than he did in the past.
Beale is one of those rare individuals who can combine his work for his employers with the work he likes to do. This is a fortuitous set of circumstances not only for him, but for the rest of the Linux community as well.
Linux, Beale feels, takes a lot of heat for its perceived lack of security, and his work on Bastille is part of his continuing effort "to raise the bar on Linux security."
Beale is quick to point out that he believes Linux is still by far one of the most secure platforms around. He cites the fact that Linux easier to fix with patches when a hole is discovered than other operating systems.
"Patch times are definitely a lot faster on Linux," Beale stated, adding that changes can easily be applied with disrupting the major functional pieces of the operating system.
But it is this flexibility that hurts Linux as well. Many critics point to Linux distributions' running services that leave the host machine vulnerable to attack.
Beale's reasons for this situation was twofold. "The first is this market pressure for features. This can be damaging for security," he said.
"Second, I think, is that they probably want to lower their support costs," Beale added. "They want to lower the amount of time [spent on support]." Turning every service off, one possible solution, would make it difficult for users to start working with Linux right out of the gate.
Beale's approach to Linux security is not the solid-wall nothing-gets-past approach the Bastille name seems to suggest. Instead, he believes in educating users to make the correct choices about the features running on their Linux machine.
Users of Bastille will certainly recognize this approach, since the initial setup for the product steps the user through a series of questions about what they do and don't want running on their machine.
Education, in Beale's opinion, is certainly one of the best defenses any IT worker can have. He was excited to announce that one of MandrakeSoft's first initiatives with its latest corporate acquisition Coursemetrics will be to build a new security-oriented training program.
"We're going to work with Jay on a course on security for newbies," said David Harden, leader of MandrakeSoft's Open Learning Project, "We can deliver a distribution where most of these services are turned on and provide them with key instructions related to security."
Such a system could explain how to turn unnecessary services off, Harden said. Beale added that the converse would work as well: ship a distribution with all of the services turned off and show how to turn them on as well as explain why they were turned off in the first place.
Beale sees this approach as being especially important now that so many Windows users, who may not even know what Telnet is, for instance, are coming across to Linux. Getting this knowledge to users is critical for better security and maintaining the balance between a usable operating system or a totally secure operating system.