On Thu, Sep 19, 2002 at 08:15:23AM +0200, Giuseppe Ghib� wrote: > Well, and if the patch doesn't exists yet? And furthermore I repeat, > in most cases there aren't ANY sysadmin who worries about upgrades.
It exists it just hasn't been kept up to date with the current gcc... Which I have to wonder why? > well, not as nimda (btw, aften one year I still get apache logs full of > nimda and red worm attempts, this means that sysadmins often upgrades > their machines ASAP...), but the fact that there aren't so much (especially > because on Linux hasn't the email as main vehicle for the propagation) > doesn't mean they aren't dangerous. I didn't say they weren't dangerous I just said they weren't as prevalent. And nimda/code red are both NT worms. I'll note that I was getting tons of nimda attempts when it first become well known on the net. The latest Linux worm has elicited may a few dozen possible (can't say for sure because of the way it attempts to do it) attempts since it showed up on slashdot. Comparing the threat of a NT based worm to a Linux based worm is specious at best. I believe the Linux community is far better suited to respond to threats. How many email worms has Windows had? How long did it take Microsoft to get fixes that reliably stopped the propagation of these worms? How long does it take the Linux community to respond to similar threats. You do the math. > when updates doesn't cause you to reconfigure your daemons... ;-) Very rarely have we had to put out an update that requires reconfiguration. We almost always patch to fix security issues. So that's a really lame response. I can think of only one case that warranted that type of upgrade and that was an Apache upgrade because we moved everyone to using the new style configuration setup (commonhttpd.conf et al). > tell me of the latest 100 security linux advisors for daemons having buffer > overruns the possibility to obtain a remote shell (or root shell) and how > many of them would have been blocked (with a DOS for instance) if the > daemon have had libsafe active or was compiled with stackguard enabled. What you're not taking in consideration here is the potential real problems Mandrake would have in implementing stackguard. Compiling everything in the distro with it wouldn't probably be an option because I'm positive there are at least a few things that it wouldn't work right with. Making it an option to use isn't exactly an easy thing to do because it's a compile time option. Not a run time option. Mandrake is already limited on space for new RPMS.... Where are we going to find the MB if not GB's to put the duplicated RPMS? > If we had based our security to what other distros do, then we wouldn't > have had any msec, libsafe, kernel-secure, etc. and all our security tools > would > have been tcp_wrappers... You're certainly not the only distro shipping libsafe or secured kernels. And the stackguard patch to gcc isn't exactly new it's been around for years. There has to be a reason why other distros haven't adopted it. Or for that matter why Mandrake hasn't adopted it. However the last fear I have about implementing it is that it will make the very thing worse that you claim is a reason for implementing it. Patches are necessary with or without stackguard. As I've seen happen time and time again firewalls became an excuse for poorly implemented security. It's not that firewalls don't have a place in a security regime. It's that many of the newbie type admins you are targeting your issues to will think that's all they have to do. So indeed I fear that applying a bandaide (stackguard) and then the ensuing PR/marketing that will surround it will create a false sense of security. And will in fact make the problem worse. In the end between the difficulty in implementing this change and the problems with the attitudes it might create I tend to think it wouldn't benefit us in the long run. I could be wrong. But that's my opinion. At any rate though you didn't answer my question. *WHY* have other distros ignored this. It's not like it's something nobody has known about (it's been on slashdot at least once). There has to be a reason for it. Even if it is the attitude fear that I have about it. We certainly should take advantage of analysis that other distros have made of the technology in determining if we should implement it. Don't you think? -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org Never take no as an answer from someone who isn't authorized to say yes.
