Re: [ISN] Start-up banks on hack-proof Linux

From: InfoSec News (isnat_private)
Date: Tue Oct 01 2002 - 02:03:02 PDT

  • Next message: InfoSec News: "[ISN] Microsoft Puts Meat Behind Security Push"

    Forwarded from: Kurt Seifried <listuserat_private>
    > I don't think you're being rude at all, just misguided.
    [mass snippage]
    So you guys audited all the code and fixed all the recent problems
    found in libc, apache, openssl, openssh, etc, etc in the last 2
    This is why I'm not a huge fan of the various "secure" linux distros.
    Typically something is bolted on to a relatively insecure system to
    try and make it secure. These after the fact components (post factory
    mods? something like that =) sometimes work, and sometimes do not
    Case exmaple: Argus Pitbull on solaris, a fine piece of software, a
    hacking contest goes by, no-one can break Argus Pitbull on Solaris.
    Well except for this guy who finds a kernel flaw on Solaris and
    manages to circumvent it.
    What has this got to do with you?
    The more security flaws you leave unsolved (even if they do not
    "directly affect" your users) the more likely some combination of bugs
    will occur that does allow an attacker in.
    Can you offer me some form of "proof" that your customers are NOT
    affected by these vulnerabilities? No. You can only say "well, from
    what little we know about vulnerability X LIDS seems to stop this
    specific attack example".
    Personally I believe in erring on the side of caution, i.e.
    shipping/installing security updates even if I am not directly
    affected. There are degrees of risk. Not shipping security updates to
    close potential holes in a system increases this risk.
    > Dave Wreski
    > Corporate Manager                           Guardian Digital, Inc.
    > (201) 934-9230                Pioneering.  Open Source.  Security.
    > daveat_private  
    Kurt Seifried, kurtat_private
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 05:12:35 PDT