1 |
The 21/02/14, Andrew Savchenko wrote: |
2 |
|
3 |
> Are you considering Bruce Schneier's advice as a stupid nonsense? In |
4 |
> his "Applied cryptography" he recommended one of the ways to |
5 |
> straighten a system: to use not so frequently used algorithms instead |
6 |
> of selected standards because less frequently used algorithms has no |
7 |
> better math but are less targeted, have less specialized hardware |
8 |
> built to crack them and so on. |
9 |
|
10 |
First, it is worth recalling he talks about algorithms used in |
11 |
cryptography especially considering the context of the supposed power of |
12 |
the NSA. |
13 |
|
14 |
Second, he never talks about compilation USE FLAGS. His point is about |
15 |
algorithms. Only that. Gentoo does not change algorithms in the (widely |
16 |
spread) softwares supported by the distribution. And I'm not going to |
17 |
talk about specialized hardware for cryptography that almost nobody here |
18 |
will ever use. |
19 |
|
20 |
> I never talked about a sense of security just because system has |
21 |
> non-standard binaries. I talked about high variance which brings a |
22 |
> _bit_ more security. |
23 |
|
24 |
High variance applied to Gentoo or Debian IS non-sense. You won't get |
25 |
high variance in any of the supported softwares they provide. |
26 |
|
27 |
> Have you ever considered how systems became broken in the wild? The |
28 |
> most common way (in numbers of hosts, not significance) are automated |
29 |
> robots and botnets. They just scan the net, try to bruteforce any |
30 |
> login service they found and try to apply any exploit appropriate |
31 |
> from their database. If one have a widely used and improperly |
32 |
> configured (or not timely updated) setup, it will be hacked this way. |
33 |
|
34 |
<...> |
35 |
> However I want to notice one critical security issue quite common for |
36 |
> production servers: an old software. It doesn't matter how many |
37 |
> protection layers system have, how skilled person configured it was. |
38 |
> When software is old it is quite trivial to look up for CVEs and |
39 |
> break the system. Quite practical encounter from my own experience: I |
40 |
> was asked to legitimately obtain root on the box (admin forgot |
41 |
> password, reboot (with init=/bin/bash) was not an option and root |
42 |
> access was needed for reconfiguration); a box was a year old RHEL |
43 |
> with SELinux enforced. Third kernel exploit worked perfectly (I just |
44 |
> found them on the net, not bothered to code myself). |
45 |
|
46 |
Agreed. That's why the efforts from distribution maintainers focus on |
47 |
taking care to _not_ provide such softwares enabled this way by default. |
48 |
A large security effort relies on the admins, first. Upstream have few |
49 |
responsability in security non-sense coming from the users. |
50 |
|
51 |
> . Such trivia with |
52 |
> Gentoo and its custom binaries is not possible. And Gentoo is quite |
53 |
> good with recent software updates (RH sometimes is too slow with |
54 |
> critical kernel/libc issues). |
55 |
|
56 |
Such security issue is not avoidable whatever it is Gentoo or not. Then, |
57 |
the best point is to have a wide community to ensure better support and |
58 |
surveillance on security issues in order to expect better support by the |
59 |
community to offer _updates_. |
60 |
|
61 |
> My point is that Gentoo |
62 |
> provides native techniques to raise the attack cost. That's all. |
63 |
|
64 |
And I'm afraid. |
65 |
|
66 |
-- |
67 |
Nicolas Sebrecht |