Page 4 of 5 FirstFirst ... 2345 LastLast
Results 31 to 40 of 50

Thread: UNIX - Linux - BSD Security Tips

  1. #31
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Not always. If the kid doesn't chop his fingers off learning how to use it he won't grow into a man that can do much of anything with it.

    Useability and number of features usually aren't related at all. I mean seriously, you tell it to allow certain ports and drop the others...

  2. #32
    Junior Member
    Join Date
    Dec 2007
    Posts
    12
    Quote Originally Posted by gore
    It's possible to take a UNIX based OS, and strip it down to nothing but the Kernel, and hack the service into the Kernel, and discard anything not related. It's DAMN hard to break into a machine that someone has done this to.
    Ignoring the rest of the post which was well nothing.

    You obviously have no idea what you are talking about.
    There is a reason that applications are in userspace, lets start with the obvious, throwing things into the kernel creates for a very volitile system, suddenly what was a simple crash can suddenly turn into a kernel panic, oops http just took down dns(yes i know stupid to put these 2 services on the one box but i needed an example)

    You are actually starting to map memory in kernel space that could be unchecked, own one service you are suddenly able to read and write kernel memory, which now includes every other service you are running as well, tasty. Not that it matters as the kernel has read and write to the entire system anyway, got root? In other words sure you could probably speed up some of your services through this method(only sane thing i could think of at this point in time that i would consider throwing into kernel space would be a static http deamon) would be a huge security issue, huge.
    Last edited by ildjarn; December 2nd, 2007 at 01:49 PM.

  3. #33
    Junior Member
    Join Date
    Dec 2007
    Posts
    12
    Quote Originally Posted by gore
    I mentioned already SUSE does this. SUSE has a whole team just for security and they do in fact go over SUSE, the core system and the rest of it, line by line, and this is one reason why they don't have as many security fixes issued as say, Mandriva.
    So from what you are saying, suse's security team are patching issues and not sending them upstream? i find this very hard to belive. Most of the time when a exploit for a linux application is released and it is lacking a distro its laziness on the vuln coders behalf, couldnt be bothered finding the ret values for that distro etc, when a vuln for soemthing like apache or lets say something even more basic lets say gnome or kde(everyone loves guis) and there are alot of times config tools etc when processes are running with higher privlages so they are fun to target has a vuln, why is suse magically spared? because of this so called 'line by line analysis'? Since when is suse running special versions of gnome?


    Quote Originally Posted by gore
    SUSE also has a huge difference in that for over two years, by default, they have been using... Well, RXstack for example. SUSE also uses a lot of the security ideas in the default install. The Kernel for SUSE isn't the same as the Kernel in RedHat, or Slackware.
    Can i ask what you think RXstack is? Did you just see the word stack in your init.d and assume? I really am curious.

    Quote Originally Posted by gore
    With what you said above, more options would equal less security. KISS.
    This comment is just made of fail.Greater control over the flow of packets, pfsync, and some of the things you can do with its packet control functions make it a very powerful tool layer 2 filtering as has been mentioned before, Its state inspection is so much cleaner than iptables, there is a reason that openbsd is considered by most to be the most secure OS's, SUSE has one major flaw, its linux.

    Quote Originally Posted by gore
    SUSE comes out of the box with up to 4096 bit. DES, Blowfish and others are also right on the install CDs.
    Guess who you have to thank for that, openbsd developers and their patch for libc.

    Quote Originally Posted by gore
    Yea.... I'd MUCH rather have no games work because the project leader strokes his ego to much.... Hmm, let me see, Drivers written by the peopel who made the card, or drivers written by people that think it should work a certain way...

    Lol, this is why OpenBSD has less share on the desktop than FreeBSD. Nvidia took the time to write drivers for FreeBSD and Linux that are as quality as those on Windows. What's it matter if you have access to the source? I'm not a programmer, why would I care even a little?
    your entire argument is flawed, openbsd isnt desgined for a desktop machine and im sure with the gpu instruction set, theo would churn out much better drivers that nvidia ever could, no matter what you think of him and his policies, you can not deny the man is a prodigy when it comes to C. But yes, its not aiming for desktop penetration, so thats why it doesnt have it, it is designed to be a secure box on install its why they can proudly boast


    Only two remote holes in the default install, in more than 10 years!

    Quote Originally Posted by gore
    Uhhh buffer overflow safegaurds ARE available in Linux. SUSE uses them.
    They are ****, ssp, stackshell, stacksheild, exec shield what ever you want to call it, pretty easy to get around if you just load your shell code into other portions of memory, or load it onto the heap, but wait what if we protect the heap, well our good friend theo has done this, and now linux includes heap protection thanks to the code written for openbsd, ASLR another huge break through in protecting against these type of attacks, theo again, so yes suse may be slightly secure(remeber its still a linux kernel, everyone point at SElinux) but its all thanks to ideas and code made for openbsd.

  4. #34
    Junior Member
    Join Date
    Dec 2007
    Posts
    12
    Quote Originally Posted by gore
    Not always. If the kid doesn't chop his fingers off learning how to use it he won't grow into a man that can do much of anything with it.

    Useability and number of features usually aren't related at all. I mean seriously, you tell it to allow certain ports and drop the others...
    Yeah, Statefull packet inspection is just a farce... I think you need to read up on firewall theory, but then again, i guess you could be right, allowing and blocking certain ports will stop man in the middle attacks, detect data being tunneled through http, dont worry gore, ill ring cisco and let them know their SPI research is a waste.

  5. #35
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I'll ring Cisco for you when you figure out how to read dates.

  6. #36
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I don't know about everyone else, but I got a message about this thread, and now, the post I was given a message because of, is gone. I don't remember half of this crap, but for the newbie who was whining about what I said about OpenBSD, and said what I posted was nothing, and that I'm wrong:

    Prove it. If you don't like me, I don't care, so take your best shot. This thread is old as crap, and I don't care if you don't agree with what I said. Prove what you think you can, but Theo is an ******* and a half, has zero people skills, and the fact that everyone says "Well OpenBSD is made just for servers and has no root exploits in the default install".... So?

    DOS has no exploits in the default install, I don't see people lining up to use that crap either. I don't like OpenBSD, and it's no secret. I'm pretty loud about it. If you want to get into it over OSs that are made purely for Server use only and NO desktop use, and, say how secure they are, then why not toss Trusted Solaris into the mix? Why not toss Trusted BSD into the mix? Those are just as much a part of BSD as OpenBSD is, but you don't have to put up with the **** Theo throws in.

    I do NOT care about Theo; He has a huge attitude problem, he annoys me, and he's sometimes a total moron. I've personally seen, with my own eyes, telling someone from the FreeBSD Security Team that they were full of ****, and blah blah blah they didn't know what they were talking about, and more.

    There was a FreeBSD Security Patch Released, and they credited OpenBSD with finding it, and Theo replied to this, saying that they were talking out of their asses, and that they didn't know a thing about what they were saying and that the security flaw in question didn't exist and that they were stupid and didn't know what they were talking about.

    The FreeBSD Security Officer simply replied, and instead of saying a word, he copied and pasted the OpenBSD Security patch notes to the email, and nothing more.

    Theo, of course, instead of apologizing for being a douche bag, said nothing. Yea. He's a dick. Get over it.

  7. #37
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    No sign of any deleted post either? I guess it might be something to do with deleting a spam post before it is approved?

  8. #38
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    My guess is it was deleted too. I still have the Email I was sent about this thread, so I could check what the reply actually said, but it doesn't seem to show up as a Deleted post either; You know how when a post gets Deleted it shows up for us? It doesn't even show that. Which is odd. But whatever lol.

  9. #39
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I think that it happens if a post is flagged for moderation and you delete it as spam, rather than approving it or moving it. Those deleted posts just seem to vanish, as far as I have seen.

    My guess is that the actual post may trigger the notification system before the post is approved?

    You are quite right about normal posts, in that if the user or moderator deletes or edits it, then it shows up in the thread.

  10. #40
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Well, with your comments as well, I think we can call this case closed for now lol. Anything about the topic you want to add? I know you've been around since RAM came in stacks a foot long so I'm curious about your Unix Experiences personally.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •