| 1 |
The 21/02/14, Andrew Savchenko wrote: |
| 2 |
|
| 3 |
> Are you considering Bruce Schneier's advice as a stupid nonsense? In |
| 4 |
> his "Applied cryptography" he recommended one of the ways to |
| 5 |
> straighten a system: to use not so frequently used algorithms instead |
| 6 |
> of selected standards because less frequently used algorithms has no |
| 7 |
> better math but are less targeted, have less specialized hardware |
| 8 |
> built to crack them and so on. |
| 9 |
|
| 10 |
First, it is worth recalling he talks about algorithms used in |
| 11 |
cryptography especially considering the context of the supposed power of |
| 12 |
the NSA. |
| 13 |
|
| 14 |
Second, he never talks about compilation USE FLAGS. His point is about |
| 15 |
algorithms. Only that. Gentoo does not change algorithms in the (widely |
| 16 |
spread) softwares supported by the distribution. And I'm not going to |
| 17 |
talk about specialized hardware for cryptography that almost nobody here |
| 18 |
will ever use. |
| 19 |
|
| 20 |
> I never talked about a sense of security just because system has |
| 21 |
> non-standard binaries. I talked about high variance which brings a |
| 22 |
> _bit_ more security. |
| 23 |
|
| 24 |
High variance applied to Gentoo or Debian IS non-sense. You won't get |
| 25 |
high variance in any of the supported softwares they provide. |
| 26 |
|
| 27 |
> Have you ever considered how systems became broken in the wild? The |
| 28 |
> most common way (in numbers of hosts, not significance) are automated |
| 29 |
> robots and botnets. They just scan the net, try to bruteforce any |
| 30 |
> login service they found and try to apply any exploit appropriate |
| 31 |
> from their database. If one have a widely used and improperly |
| 32 |
> configured (or not timely updated) setup, it will be hacked this way. |
| 33 |
|
| 34 |
<...> |
| 35 |
> However I want to notice one critical security issue quite common for |
| 36 |
> production servers: an old software. It doesn't matter how many |
| 37 |
> protection layers system have, how skilled person configured it was. |
| 38 |
> When software is old it is quite trivial to look up for CVEs and |
| 39 |
> break the system. Quite practical encounter from my own experience: I |
| 40 |
> was asked to legitimately obtain root on the box (admin forgot |
| 41 |
> password, reboot (with init=/bin/bash) was not an option and root |
| 42 |
> access was needed for reconfiguration); a box was a year old RHEL |
| 43 |
> with SELinux enforced. Third kernel exploit worked perfectly (I just |
| 44 |
> found them on the net, not bothered to code myself). |
| 45 |
|
| 46 |
Agreed. That's why the efforts from distribution maintainers focus on |
| 47 |
taking care to _not_ provide such softwares enabled this way by default. |
| 48 |
A large security effort relies on the admins, first. Upstream have few |
| 49 |
responsability in security non-sense coming from the users. |
| 50 |
|
| 51 |
> . Such trivia with |
| 52 |
> Gentoo and its custom binaries is not possible. And Gentoo is quite |
| 53 |
> good with recent software updates (RH sometimes is too slow with |
| 54 |
> critical kernel/libc issues). |
| 55 |
|
| 56 |
Such security issue is not avoidable whatever it is Gentoo or not. Then, |
| 57 |
the best point is to have a wide community to ensure better support and |
| 58 |
surveillance on security issues in order to expect better support by the |
| 59 |
community to offer _updates_. |
| 60 |
|
| 61 |
> My point is that Gentoo |
| 62 |
> provides native techniques to raise the attack cost. That's all. |
| 63 |
|
| 64 |
And I'm afraid. |
| 65 |
|
| 66 |
-- |
| 67 |
Nicolas Sebrecht |
Archives