Re: [ISN] Start-up banks on hack-proof Linux

From: InfoSec News (isnat_private)
Date: Sun Sep 29 2002 - 23:21:11 PDT

Next message: InfoSec News: "[ISN] Pentagon prohibits wireless, citing security reasons"

Previous message: InfoSec News: "[ISN] Islands in the Clickstream. Do Terrorists Really Have More Fun? - September 26 2002"
Maybe in reply to: InfoSec News: "[ISN] Start-up banks on hack-proof Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Dave Wreski <daveat_private>

> I don't mean to be rude but EnGarde is far from "secure".
> Duct-taping LIDS on top of the system helps but attackers can still
> compromise services, load code into memory and do naughty things.
> Check out the following list of advisories for 2002 alone. Please
> also note that they haven't issued advisories for the last ~2
> months, leaving users vulnerable to several major issues.

I don't think you're being rude at all, just misguided.

We appreciate your pointing out that we haven't released an advisory
in the past two months. That's because there have not been any
publicized vulnerabilities to any component within EnGarde for at
least the last two months that warranted a public advisory.

Do you have reason to believe we have missed one? Are you thinking the
OpenSSL worm? Our customers were at no point vulnerable to that.

Security is what we do. If there is a program that you think may be
vulnerable to an exploit as shipped with any Guardian Digital product,
please don't hesitate to bring it to our attention, and chances are
we'll have it fixed within 24 to 48 hours.

The protection that LIDS provides is one piece of an overall defense
in depth strategy that EnGarde employs. LIDS is in fact an integral
component of EnGarde, pervasive throughout the entire design of the
operating system, and provides filesystem protection as well as
protection from things like Trojan horse attacks. I don't think anyone
would suggest that because it isn't effective against 100% of the
forms of attacks out there that we shouldn't use it.

Additionally, we have implemented techniques to help limit exposure to
other "naughty things," as you so succinctly stated.

-- 
Dave Wreski
Corporate Manager                           Guardian Digital, Inc.
(201) 934-9230                Pioneering.  Open Source.  Security.
daveat_private            http://www.guardiandigital.com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] Pentagon prohibits wireless, citing security reasons"
Previous message: InfoSec News: "[ISN] Islands in the Clickstream. Do Terrorists Really Have More Fun? - September 26 2002"
Maybe in reply to: InfoSec News: "[ISN] Start-up banks on hack-proof Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 02:23:54 PDT