Re: Start-up banks on hack-proof Linux

[InfoSec News <isn () c4i org>]

Forwarded from: Kurt Seifried <listuser () seifried org>

> I don't think you're being rude at all, just misguided.

[mass snippage]

So you guys audited all the code and fixed all the recent problems
found in libc, apache, openssl, openssh, etc, etc in the last 2
months?

This is why I'm not a huge fan of the various "secure" linux distros.
Typically something is bolted on to a relatively insecure system to
try and make it secure. These after the fact components (post factory
mods? something like that =) sometimes work, and sometimes do not
work.

Case exmaple: Argus Pitbull on solaris, a fine piece of software, a
hacking contest goes by, no-one can break Argus Pitbull on Solaris.
Well except for this guy who finds a kernel flaw on Solaris and
manages to circumvent it.

What has this got to do with you?

The more security flaws you leave unsolved (even if they do not
"directly affect" your users) the more likely some combination of bugs
will occur that does allow an attacker in.

Can you offer me some form of "proof" that your customers are NOT
affected by these vulnerabilities? No. You can only say "well, from
what little we know about vulnerability X LIDS seems to stop this
specific attack example".

Personally I believe in erring on the side of caution, i.e.
shipping/installing security updates even if I am not directly
affected. There are degrees of risk. Not shipping security updates to
close potential holes in a system increases this risk.

> Dave Wreski
> Corporate Manager                           Guardian Digital, Inc.
> (201) 934-9230                Pioneering.  Open Source.  Security.
> dave () guardiandigital com            http://www.guardiandigital.com


Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.