On Saturday 08 December 2001 15:48, Crispin Cowan wrote: > Alan wrote: > >On Saturday 08 December 2001 14:36, Crispin Cowan wrote: > >>Alan wrote: > >>>Is 2.4.x available for it yet? (With the proper patches. I know Greg > >>> made one without, for testing purposes.) > >> > >>Not as such. But you can just drop a 2.4 kernel into the Immunix 7 > >>system if you want to, and you don't want the kernel security features. > > > >Actually, I do want the kernel security features. That is why I asked. > > Immunix kernel stuff (SubDomain, NetDomain, and RaceGuard) are not > presently available for Linux 2.4. When we produce them is a business > decision. It can be influenced by paying customers :-) Since IPTables has not been backported to 2.2.x, I figured you would want to get to it sometime soon. I am glad to see Immunix finally promoted as being for sale. Hopefully it will drive further improvements. > >What is your opinion of the grsecurity patches at > > http://www.grsecurity.net/ ? > > > >They look interesting, but I have not dug into them yet. > > From the outside, it looks like a reasonable integration of various > best-of-breed kernel security enhancements. Nothing new or unique, but > they show good taste in the features they integrated. > > However, we have dug into the inside, in attempting to port some > features to LSM (Linux Security Module http://lsm.immunix.org/ and Chris > Wright reports that some of the code quality inside is not so good. > Numerous bugs had to be fixed, and (IIRC) we ended up going back to > original sources and not using grsecurity-derived code. I am glad i asked before I dug into the code. Openwall was going to wait until 2.4.10, then 2.4.15 before releasing code. I have yet to see any sort of release for the 2.4.x kernels from them. (The patch colision problem is going to get bad. I have about 4-5 kernel patch sets I want to use. The last time I tried to get them all into a running kernel, it was pretty messy. (FreeSWAN especially.) > >>The SecureID cards require the user to enter a PIN on the card's hexpad > >>keyboard. That's the kind of authentication I'm talking about. It is > >>more problematic with dongle-style tokens like iButtons and USB dongles, > >>as they (likely) will use the PC's keyboard to enter the user > >>authentication. That's problematic because it can be sniffed, unlike the > >>SecureID card's built-in keyboard. > > > >These are different than the SecureID devices I have seen in the past. > > They were just time based one time passwords. (That may be the protocol > > I was thinking of that has been weakened.) > > There are a lot of different tokens in the world > http://developer.netscape.com/tech/security/certs/cards.html and I am > not an expert in that area. Some use time-based one-time PADs, some use > RSA challenge-response, some have a keypad and LCD display for entering > the challenge response, others use some kind of smartcard interface. One > of my favorite cute ideas is the Smarty, which is a smart card reader in > the form factor of a 3.5" floppy, so that with a little software, any PC > with a floppy drive can read smart cards. Unfortunately, it no longer > seems to be available. Probably too easy to use. ]:> There used to be a page on open source smart card development that had some interesting code and pointers to development kits. Never pursued it because I never had money when I had the incentive to do it.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:58 PDT