The 21/02/14, Andrew Savchenko wrote: > Are you considering Bruce Schneier's advice as a stupid nonsense? In > his "Applied cryptography" he recommended one of the ways to > straighten a system: to use not so frequently used algorithms instead > of selected standards because less frequently used algorithms has no > better math but are less targeted, have less specialized hardware > built to crack them and so on.
First, it is worth recalling he talks about algorithms used in cryptography especially considering the context of the supposed power of the NSA. Second, he never talks about compilation USE FLAGS. His point is about algorithms. Only that. Gentoo does not change algorithms in the (widely spread) softwares supported by the distribution. And I'm not going to talk about specialized hardware for cryptography that almost nobody here will ever use. > I never talked about a sense of security just because system has > non-standard binaries. I talked about high variance which brings a > _bit_ more security. High variance applied to Gentoo or Debian IS non-sense. You won't get high variance in any of the supported softwares they provide. > Have you ever considered how systems became broken in the wild? The > most common way (in numbers of hosts, not significance) are automated > robots and botnets. They just scan the net, try to bruteforce any > login service they found and try to apply any exploit appropriate > from their database. If one have a widely used and improperly > configured (or not timely updated) setup, it will be hacked this way. <...> > However I want to notice one critical security issue quite common for > production servers: an old software. It doesn't matter how many > protection layers system have, how skilled person configured it was. > When software is old it is quite trivial to look up for CVEs and > break the system. Quite practical encounter from my own experience: I > was asked to legitimately obtain root on the box (admin forgot > password, reboot (with init=/bin/bash) was not an option and root > access was needed for reconfiguration); a box was a year old RHEL > with SELinux enforced. Third kernel exploit worked perfectly (I just > found them on the net, not bothered to code myself). Agreed. That's why the efforts from distribution maintainers focus on taking care to _not_ provide such softwares enabled this way by default. A large security effort relies on the admins, first. Upstream have few responsability in security non-sense coming from the users. > . Such trivia with > Gentoo and its custom binaries is not possible. And Gentoo is quite > good with recent software updates (RH sometimes is too slow with > critical kernel/libc issues). Such security issue is not avoidable whatever it is Gentoo or not. Then, the best point is to have a wide community to ensure better support and surveillance on security issues in order to expect better support by the community to offer _updates_. > My point is that Gentoo > provides native techniques to raise the attack cost. That's all. And I'm afraid. -- Nicolas Sebrecht
