| 1 |
On 20/02/2014 22:41, Nicolas Sebrecht wrote: |
| 2 |
> On Thu, Feb 20, 2014 at 08:52:07PM +0400, Andrew Savchenko wrote: |
| 3 |
> |
| 4 |
>> And this point is one of the highest security benefits in real world: |
| 5 |
>> one have non-standard binaries, not available in the wild. Most |
| 6 |
>> exploits will fail on such binaries even if vulnerability is still |
| 7 |
>> there. |
| 8 |
> |
| 9 |
> While excluding few security issues by compiling less code is possible, |
| 10 |
> believing that "non-standard binaries" (in the sense of "compiled for |
| 11 |
> with local compilation flags") gives more security is a dangerous dream. |
| 12 |
> |
| 13 |
|
| 14 |
|
| 15 |
+1 |
| 16 |
|
| 17 |
"non-standard binaries" is really just a special form of security by |
| 18 |
obscurity. Or alternatively a special form of "no-one will eva figure |
| 19 |
out my l33t skillz! Mwahahaha!" |
| 20 |
|
| 21 |
Which is a very poor stance to take. |
| 22 |
|
| 23 |
The total amount of code not compiled by setting some USE flags off is |
| 24 |
on the whole not likely to be very much, and hoping with finger crossed |
| 25 |
that the next weakness in a package will just happen to fall within a |
| 26 |
code path that got left out by USE flags is a fools dream. |
| 27 |
|
| 28 |
I'm glad you mentioned this Andrew, because the internets are full of |
| 29 |
stupid advice like this "non-standard binary" nonsense. Yes, the |
| 30 |
arguments at face value are difficult to refute with hard facts, but |
| 31 |
those that do not known it is stupid are easily led into a sense of |
| 32 |
false security, doesn't matter how many disclaimers are tagged on the end. |
| 33 |
|
| 34 |
I reckon it's the duty of all knowledgeable sysadmins to stamp out this |
| 35 |
crap HARD every time it raises it's head. To the user who brought it up |
| 36 |
- this might seem overly harsh but I've yet to find a better method that |
| 37 |
actually works and gets through to people. |
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
-- |
| 42 |
Alan McKinnon |
| 43 |
alan.mckinnon@×××××.com |
Archives