لطفا منتظر باشید ...
Our Security Philosophy
Computer security is full of
tradeoffs among risks, costs, and benefits. In theory, nothing less
than 100% security will protect your system, but 100% is impossible
to achieve, and even getting close may be difficult and expensive.
Guarding against the many possibilities for intrusion, not to mention
counter-possibilities and counter-counter-possibilities, can be (and
is) a full-time job.
As an example, suppose you are a careful communicator and encrypt all
the mail messages you send to friends using GnuPG, as we discuss in
Chapter 8. Let's say you even
verified all your friends' public encryption keys so
you know they haven't been forged. On the surface,
this technique prevents hostile third parties from reading your
messages in transit over the Internet. But let's
delve a little deeper. Did you perform the encryption on a secure
system? What if the GnuPG binary (gpg) has been
compromised by a cracker, replaced by an insecure lookalike? What if
your text editor was compromised? Or the shared libraries used by the
editor? Or your kernel? Even if your kernel file on disk
(vmlinuz) is genuine, what if its runtime state
(in memory) has been modified? What if there's a
keyboard sniffer running on your system, capturing your keystrokes
before encryption occurs? There could even be an eavesdropper parked
in a van outside your building, watching the images from your
computer monitor by capturing stray electromagnetic emissions.
But enough about your system: what about your
friends' computers? Did your friends choose strong
passphrases so their encryption keys can't be
cracked? After decrypting your messages, do they store them on disk,
unencrypted? If their disks get backed up onto tape, are the tapes
safely locked away or can they be stolen? And speaking of theft, are
all your computers secured under lock and key? And who holds the
keys? Maybe your next-door neighbor, to whom you gave a copy of your
housekey, is a spy.
If you're the security chief at a Fortune 500
company or in government, you probably need to think about this
complex web of issues on a regular basis. If you're
a home user with a single Linux system and a cable modem, the costs
of maintaining a large, multitiered security infrastructure, striving
toward 100% security, very likely outweigh the benefits.
Regardless, you can still improve your security in steps, as we
demonstrate in this book. Encrypting your sensitive files is better
than not encrypting them. Installing a firewall, using SSH for remote
logins, and performing basic intrusion and integrity checking all
contribute toward your system safety. Do you need higher security?
That depends on the level of risk you're willing to
tolerate, and the price you're willing (and able) to
pay.
In this cookbook, we present security tools and their common uses. We
do not, and cannot, address every possible infiltration of your
computer systems. Every recipe has caveats, exceptions, and
limitations: some stated, and others merely implied by the
"facts of life" of computer
security in the real world.
