when last we saw our hero (Thursday, May 15, 2003), Daniel Taylor was madly tapping out: > On Thu, 15 May 2003, steve ulrich wrote: > > > when last we saw our hero (Wednesday, May 14, 2003), > > Daniel Taylor was madly tapping out: > > > On Wed, 14 May 2003, Matthew S. Hallacy wrote: > > > > On Fri, May 09, 2003 at 09:48:19AM -0500, Daniel Taylor wrote: > > > > > > > > > As security features go it is a pretty good one. I'd like to > > > > > see perl gone also. For a production firewall you want > > > > > nothing that makes it any easier for an intruder to install > > > > > software on the computer than necessary. Of course, this > > > > > means that you have to do all of your binary production on a > > > > > compatible dev system, but that is as it should be. > > > > > > > > Until they just scp their staticly linked programs in. Not > > > > having a compiler on the system does nothing for security. > > > > > > > It eliminates entire classes of attack. There is no such thing > > > as perfect security, but why make it any easier for the bad guys > > > than you have to? > > > > > > Not having a compiler/interpreter on the system means they > > > _have_ to have pre-compiled static/compatible binaries for the > > > system. > > > > > > This pretty much eliminates cross platform automated attacks, > > > and ensures that _your_ attacker will have to approach your > > > system with the personal attention and TLC that it deserves ;) > > > > this might stop the script kiddie - but it's not going to stop a > > seasoned pro. rule one - make sure you have infrastructure to > > bootstrap your rootkit independent of access to a compiler, build > > yerself infrastructure. when people pull this logic out it always > > cracks me up. what you really need is an environment that doesn't > > support user code. the pros have the ability to insert > > statically linked executables on the fly from their own > > infrastructure. > > > Right. It stops script kiddies. It stops self-recompiling worms. It > leaves attacks directed at your hardware/software combination and > attacks directed at you by pros. > > This is essentially what I said above. very true. i hopped into this thread in the wrong spot. it bears noting that in some circles, automation of the above is already taking place in some frighteningly small insertion kits. which seem to be making their way into the hands of script kiddies. it's for this reason that i personally won't run a fw on a general purpose platform. -- steve ulrich sulrich at botwerks.org PGP: 8D0B 0EE9 E700 A6CF ABA7 AE5F 4FD4 07C9 133B FAFC _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list