Alan wrote: >On Saturday 08 December 2001 14:36, Crispin Cowan wrote: > >>Alan wrote: >> >>>Is 2.4.x available for it yet? (With the proper patches. I know Greg made >>>one without, for testing purposes.) >>> >>Not as such. But you can just drop a 2.4 kernel into the Immunix 7 >>system if you want to, and you don't want the kernel security features. >> > >Actually, I do want the kernel security features. That is why I asked. > Immunix kernel stuff (SubDomain, NetDomain, and RaceGuard) are not presently available for Linux 2.4. When we produce them is a business decision. It can be influenced by paying customers :-) >What is your opinion of the grsecurity patches at http://www.grsecurity.net/ ? > >They look interesting, but I have not dug into them yet. > From the outside, it looks like a reasonable integration of various best-of-breed kernel security enhancements. Nothing new or unique, but they show good taste in the features they integrated. However, we have dug into the inside, in attempting to port some features to LSM (Linux Security Module http://lsm.immunix.org/ and Chris Wright reports that some of the code quality inside is not so good. Numerous bugs had to be fixed, and (IIRC) we ended up going back to original sources and not using grsecurity-derived code. >>The SecureID cards require the user to enter a PIN on the card's hexpad >>keyboard. That's the kind of authentication I'm talking about. It is >>more problematic with dongle-style tokens like iButtons and USB dongles, >>as they (likely) will use the PC's keyboard to enter the user >>authentication. That's problematic because it can be sniffed, unlike the >>SecureID card's built-in keyboard. >> >These are different than the SecureID devices I have seen in the past. They >were just time based one time passwords. (That may be the protocol I was >thinking of that has been weakened.) > There are a lot of different tokens in the world http://developer.netscape.com/tech/security/certs/cards.html and I am not an expert in that area. Some use time-based one-time PADs, some use RSA challenge-response, some have a keypad and LCD display for entering the challenge response, others use some kind of smartcard interface. One of my favorite cute ideas is the Smarty, which is a smart card reader in the form factor of a 3.5" floppy, so that with a little software, any PC with a floppy drive can read smart cards. Unfortunately, it no longer seems to be available. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:57 PDT