Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Beta version 0.7; May 17, 1998

Practical Unix and Internet Security

by Simson Garfinkel, Gene Spafford


List: $39.95. Usual discount 20%. 

2nd Edition
Paperback, 1004 pages
Published by O'Reilly & Associates
Publication date: April 1996
ISBN: 1565921488
 
        Reviewed by Nikolai Bezroukov
April 30, 1998

Abstract

Somewhat outdated (two years old in a very dynamic field: how to fight Rootkit is not even mentioned; Bugtraq mentioned only in the supplement, etc.). Far from being practical the book can be used only as an introductory text in Unix security. Much more correct title would be Unix Security Cookbook, Introduction to UNIX and Internet Security or even Unix Security for Dummies. The book is not recommended for Internet security (superficial and incomplete).  Good style --  Simson Garfinkel of The UNIX-Haters Handbook fame  is a talented journalist (but now a journalist only, see his interview with Amazon.com). The main problem with the book is that instead of relying on tools as any Unix author should, the authors use a cookbook/reference approach, giving recipes about improving security. References to important RFCs, FAQ and CERT advisories are absent. For example RFC1244 (now superseded by RTC2196) is not mentioned in the index (and probably in the text as well) although chapter 2 and chapter 24 mirror its content. No attempts were made to explain what tools can be used for checking/fixing a particular class of problems or to present a bigger picture in which the flaw exists. The typesetting is primitive. Although one of the authors is a (former) programmer judging by just the book content it is difficult to believe that he is able to spell PERL ;-). The book is not updated enough to compete with newer books on Internet Security. For corporate users possible alternatives are combinations of one book on Unix security (for example, Unix System Security by David A. Curry; IMHO a second edition of this book would be really great) and one book on Internet security (for example Actually Useful Internet Security Techniques by Larry J. Hughes). The last is recommended as an alternative for PUIS for readers who cannot afford two books. Often books written by a specialist in particular areas can be a better deal than books from security folks. For example TCP/IP Network Administration by Craig Hunt contains a lot more information about how to properly configure TCP/IP than this book and in chapter12 has a very decent overview of security in just 40 pages.
 

The problem with second edition of the "Practical Unix and Internet Security" (PUIS for short) is that authors tried to kill two birds with one stone and as a result the book is neither very good  for Unix security, nor for Internet security (actually the book is pretty weak as for Internet security --  the problem of CGI security is discussed only in passing (p.544-549) although it definitely deserve a special chapter; language issues (Java, JavaScript, Perl etc) are not discussed at all). 

The authors compile a vast amount of available material on UNIX security into quite a readable volume written in a very good (for an introductory book) style. The emphasis is on understanding areas in which security is compromised, but some general information about UNIX is also provided. After the map of such areas is constructed one can do own research.  The list of the "support stuff" is really impressive and includes Dan Farmer and Wietse Venema (the latter reviewed chapter on wrappers).

The book is very good in providing history of UNIX in general and particular subsystem. For example it is one of the few books I read, that  provides some information on Multix (p.9) as a predecessor of UNIX. Most just mention this fact.

Although almost all information from the book (and much more) is available on the WEB and conference proceedings, it would take some time to get it and systemize the way the authors did. There are summaries after each chapter -- a  plus for an introductory book. The book covers a large number of topics, although some of them are slightly remote from the subject (computer crime law, physical security, personnel security, etc.). As an introductory book it is fairy good in providing some basic UNIX system administration information.

The threats to a UNIX system used as a server in the commercial environment vary greatly in terms of intent, sophistication, technical means, and potential impact. In order of diminishing probability threats can be categorized into the following groups:

  1. Overworked (and sometimes incompetent, inquisitive, or just lazy) sysadmins (no patches applied for years, blatant configuration holes, no backups, etc.). Unfortunately, few UNIX administrators can spend several hours a week reading advisories, installing patches to keep security of their machines on the highest possible level, but still configuration errors is the security problem that probably should be addressed first.
  2. Disgruntled employee, contractors, trainees or other people intent on seeking revenge for some perceived wrong; here some monitoring can help, but it's much more difficult task than the first one.
  3. Crooks interested in personal financial gain or stealing services or information (difficult to counter);
  4. People driven by more or less pure technical challenge (hackers, very difficult to counter if they are insiders);
  5. Organized crime;
  6. Industrial espionage.

Based on validated incidents the first three category are most common, while the last three are getting most media coverage. 

Chapters are very uneven. Generally they can be read in any order. I would like to recommend to read chapter 4 (Users, Groups. and the Superuser), chapter 5 (The UNIX filesystem), chapter 6 (defending Your Accounts), chapter 7 (TCP/IP services), chapter8 (Defending Your Accounts), chapter 10 (Auditing and Logging) chapter 20 (NFS Security) and chapter 23 (Wrappers and Proxies). They contain useful material and can serve as a good starting point for collecting additional information on the Net. 

Shortcoming

I see the following shortcomings in the second edition: 

The most important problem is that the authors do not explain what tools to use and how to use them and what are reasonable priorities in UNIX security. For example they do mention that most of security problems are configuration problems, but only in passing. IMHO this should be the central theme of the book.  I was unable to find The most difficult issue in UNIX security is to avoid introducing arbitrary and often unnecessary measures(for example "password fascism") that makes users less productive without influencing (or even making it worse) an overall security.

The book does not have Web page with updated WEB resources, but this is a minor fault as COAST archive can be used instead (there is a standard page on O'Reilly WEB site, it should be probably ignored). I would like to recommend course notes to the course LT 468 -- Internet and System Security, Dept. of Computer Sciences, Purdue University.

There are also some minor points. For example they consider UUCP not suitable for 14.4Kb or faster lines, which is not true. In Europe it is widely used (Taylor UUCP is probably the most common type of Internet connection in xUSSR and  works well at 14.4Kb or faster lines). There is no "Recommended Supplementary Reading" information after each chapter.

Conclusions

The main question that needs to be answered is how well the book fare in comparison with RFCs and other materials freely available on the Net. The answer is that it is a useful starting point and contains basic information on a lot of aspects of UNIX security. One can get almost all information from the WEB, but with additional efforts.

The second question is how well the book fairs among other similar book. I would like to say that it is above average as for UNIX security (compare with Unix System Security by David A. Curry) and below average as for Internet/Web security.

Alternatives include combining one book on Unix security with a book on Internet security.  I would reccomend the following book on Unix seciruty:

Unix System Security: A Guide for Users and System Administrators (Addison-Wesley Professional Computing Series) by David A. Curry.   See also Improving the Security of Your UNIX System The "SRI Paper" that has been widely distributed around the Internet. It was written in 1990 and was a predecessor to the UNIX System Security book.  David A. Curry is the author of  UNIX Systems Programming for SVR4 and is also active tool developer (see his home page for the complete list). Among them are(description are borrowed from the author's page):

As for Internet Security I would like to recommend:

Generally there are now a lot of comprehensive books on Internet/Web Security. Often books written by a specialist in a particular protocol can be a better deal that the book from security professionals (paraphrasing old saying about teaching one can say that "those who can -- write programs, those who cannot go to system administration and those who neither can write program nor perform system administration write books about computer security" :-). For example TCP/IP Network Administration by Craig Hunt contains a lot more information about how properly configure TCP/IP than PUIS and in Chapter 12 has a very decent overview of security in just 40 pages.

IMHO the book is best suited to the users with little or no programming experience (students, hobbyists, probably IS managers, etc.) and a limited exposure to UNIX. It is not the best book for professional UNIX system administrators, but still it's a well-written introductory book. IMHO to pretend that this is a professional reference was a major mistake made by the authors. All in all I would like to mark it with 7 on 10 grade scale.


Examples are available via FTP ftp.ora


Authors info:

Simson Garfinkel of The UNIX-Haters Handbook fame  is a gifted journalist, columnist at WIRED Magazine.  He recently created own his own ISP company(see www.www.vineyard.net) that in April, 1998  has approximately a hundred customers. So now he probably has some experience "from the trenches" unless due to his "unix_hatism" he use NT (see for example his "unix_hatist" essay The Fundamental Flaws of Unix -- the essay that surprisingly superficial and lucks understanding of current trends in UNIX architecture  -- cornerstone of any such explore). Currently he is a a freelance technology writer working mainly in Wired. Some years ago he was an editor at SunExpert magazine. He graduated from MIT in '87  then was a Ph.D. candidate at the Media Lab from 90-91. Now he is resident of a little island off Massachusetts -- Martha's Vineyard. It  isn't as exciting as everyone thinks to live of such an island, however. They don't even have a mall, and it probably gets mighty boring in the winter ;-).

He is the author of several other books:

See also Amazon.com Author Interview -- Amazon.com talks to Simson L. Garfinkel.  In this interview to amazon.com he told "...I think that the biggest issue facing our society today is the lack of rational design, peer review, and common sense that is going into technological systems.".  This is of course true, but to a certain extent applied to his books ;-).  

Eugene H. Spafford (Dept. of Computer Sciences, Purdue University) probably belong to the "computer security establishment". He is a professor of Computer Sciences (according to his vita since 1979 he has taught courses in OS, compiler and language design, computer security, computer architecture, software engineering, networking and data communications, and somewhat alarming ;-) on issues of ethics and professional responsibility),  the founder and director of the Computer Operations, Audit, and Security Technology (COAST) Laboratory (that maintains the world's largest archive on computer security).  

He seems published all his books with co-authors, most frequently with Simson Garfinkel. Some materials on his page are rather outdated (probably 1996) but it seems that till 1996 he lead Purdue Security Seminar -- semi-regular, informal seminar on issues of computer security and taught course CS 590T -- Penetration Analysis. His resume shows that he probably switched to mainly managerial duties connected with COAST  approximately from 1993.  An interesting project that he was involved was the Spyder Project concerned with research into new methods of debugging software. He was also participated in design of the current naming structure of Usenet. For 11 years, he updated the news.announce.newuser  and posted them to the Usenet.  In 1993, he retired from the task. Here is the collection of quotes that can probably give some insights into his personality. He also manage Web-head list. He definitely has a good sense of humor.

Somewhat alarming is the fact that he claims to be a co-author of a  book on computer viruses (Eugene H. Spafford, Kathleen A. Heaphy, and D. J. Ferbrache; Computer Viruses: Dealing with Electronic Vandalism and Programmed Threats; ADAPSO, Arlington, VA; 123 pages; 1989). I am generally very skeptical about people who ever wrote a book about computer viruses, especially if they have co-authors ;-). But while probably not an active fighter and definitely not an active writer (all books published with co-authors),  Prof. Spafford seems to be an eminent collector of security-related information and his major achievement -- the COAST archive is really important.


Other reviews available:

GTER Vol. 4, Issue 4, May 1, 1997

DDJ December '94

Practical Unix and Internet Security Second Edition -- review by Dan Wilder   Linux Journal  #34 Feb.1997


Table of Contents
Preface
I. Computer Security Basics
1. Introduction
2. Policies and Guidelines
II. User Responsibilities
3. Users and Passwords
4. Users, Groups, and the Superuser
5. The UNIX Filesystem
6. Cryptography
III. System Security
7. Backups
8. Defending Your Accounts
9. Integrity Management
10. Auditing and Logging
11. Protecting Against Programmed Threats
12. Physical Security
13. Personnel Security
IV. Network and Internet Security
14. Telephone Security
15. UUCP
16. TCP/IP Networks
17. TCP/IP Services
18. WWW Security
19. RPC, NIS, NIS+, and Kerberos
20. NFS
V. Advanced Topics
21. Firewalls
22. Wrappers and Proxies
23. Writing Secure SUID and Network Programs
VI. Handling Security Incidents
24. Discovering a Break-in
25. Denial of Service Attacks and Solutions
26. Computer Security and U.S. Law
27. Who Do You Trust?
VII. Appendixes
App. A: UNIX Security Checklist
App. B: Important Files
App. C: UNIX Processes
App. D: Paper Sources
App. E: Electronic Resources
App. F: Organizations
App. G: Table of IP Services
Index

 

Full Table of content


Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater�s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright � 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019