On Fri, Oct 25, 2002 at 02:35:54PM +0100, Dougie G Lawson wrote: > Looking at recent Linux exploits; even the Apache SSL V1 Slapper probably > wouldn't do anything more than take a segmentation fault on a S/390 or > zSeries penguin (it was taking a segfault on my x86 SuSE Linux system > before I patched it). The same goes for PowerPC and other non-intel > archictectures. I think we also get some protection since Linux for > zSeries is big-endian. > > So while security patches should be applied when available, I'm not sure, > IMHO, that there is the same degree of urgency to apply them.
This kind of "protection" is known as "security through obscurity" and is really no security at all. If your system's data and availability are important to your business, then security patches are an urgent matter. Nobody wants to explain, after a compromise and serious downtime, that they didn't think it was important enough to worry about. > Hercules does pose a risk, it gives the determined cracker an emulated > platform to develop code that can exploit our platform. It runs on his > stock standard x86 PC. Are they going to bother with Herc, when writing > code to exploit x86 is so much easier? What are their motives? What do > they get from writing this malicious code? Is this just the script kiddies > with too much spare time? > > So the answer isn't "no" it is "less vulnerable". Given the class of hardware that S/390 inhabits, these generally represent large installations, often even high-profile ones. The so-called "script kiddies" won't generally be able to adapt their exploits to work on it, but this is not the most worrisome sort of attacker anyway. The ones to be concerned about are those who have targeted you specifically, because they will cause far, far more damage if they are able to penetrate. As for developing S/390 exploits, there is no need to have any big iron, or even Hercules. The necessary hardware-specific information is already widely available on the web. > It's all about assessing the risk vs the cost. You can probably take the > NOARCH srpms and build from source if you're very paranoid or are running > a very sensitive application. I agree with Mark Post's reply "If you've > bought support, ask RedHat". Indeed, one of the saving graces of open source software (from a business perspective) is that you never need to be at the mercy of your vendor. If you require a different variety of service than what they provide, you are free to bring your own IT resources, or those of consultants, to bear on the issues. -- - mdz
