On Thu, 15 May 2003, steve ulrich wrote: > when last we saw our hero (Wednesday, May 14, 2003), > Daniel Taylor was madly tapping out: > > On Wed, 14 May 2003, Matthew S. Hallacy wrote: > > > > > On Fri, May 09, 2003 at 09:48:19AM -0500, Daniel Taylor wrote: > > > > > > > As security features go it is a pretty good one. I'd like to see > > > > perl gone also. For a production firewall you want nothing that > > > > makes it any easier for an intruder to install software on the > > > > computer than necessary. Of course, this means that you have to > > > > do all of your binary production on a compatible dev system, but > > > > that is as it should be. > > > > > > Until they just scp their staticly linked programs in. Not having > > > a compiler on the system does nothing for security. > > > > > It eliminates entire classes of attack. There is no such thing as > > perfect security, but why make it any easier for the bad guys than > > you have to? > > > > Not having a compiler/interpreter on the system means they _have_ to > > have pre-compiled static/compatible binaries for the system. > > > > This pretty much eliminates cross platform automated attacks, and > > ensures that _your_ attacker will have to approach your system with > > the personal attention and TLC that it deserves ;) > > this might stop the script kiddie - but it's not going to stop a > seasoned pro. rule one - make sure you have infrastructure to > bootstrap your rootkit independent of access to a compiler, build > yerself infrastructure. when people pull this logic out it always > cracks me up. what you really need is an environment that doesn't > support user code. the pros have the ability to insert statically > linked executables on the fly from their own infrastructure. > Right. It stops script kiddies. It stops self-recompiling worms. It leaves attacks directed at your hardware/software combination and attacks directed at you by pros. This is essentially what I said above. -- Daniel Taylor dante at argle.org Forget diamonds, Copyright is forever. _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list