Re: BTTV detection broken in 2.4.0-test11-pre5

From: David Ford (david@linux.com)
Date: Sun Nov 19 2000 - 11:21:39 EST

Next message: David Ford: "Re: XMMS not working on 2.4.0-test11-pre7"
Previous message: dalecki: "Re: [PATCH] megaraid driver update for 2.4.0-test10"
In reply to: Christer Weinigel: "Re: BTTV detection broken in 2.4.0-test11-pre5"
Next in thread: Ben Ford: "Re: BTTV detection broken in 2.4.0-test11-pre5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Christer Weinigel wrote:

> >Kernel on writeprotected floppy disk...
>
> So change the CMOS-settings so that the BIOS changes the boot order
> from A, C, CD-ROM to C first instead. *grin* How long do you want
> to keep playing Tic-Tac-Toe?
>
> Of course, using capabilities and totally disabling access to the raw
> disk devices and to any I/O ports might be the solution, provided that
> there are no bugs or thinkos in the capabilities code.

How much time do you want to spend hardening your system? A few simple steps can
make things very hard for a remote attacker.

Everyone wants to decry every tiny little step saying there are a dozen ways to
get around it. But take 12 simple steps to take care of those dozen ways, and
you've upped the bar sufficiently. It will take a much more skilled person to
get past your defenses.

Most exploits depend on a common system layout. I.e. a redhat script issue.
Immediately you have hundreds of thousands of systems around the world which are
probably vulnerable. If however you've only installed 10 megs worth of total
system programs and kernel etc that you've carefully decided are necessary, you
probably don't have those scripts. With this attention to detail, you probably
shut off all those extraneous services like rpc.statd. Chances are you have a
chrooted BIND and on top of that you're running 9.0.1rc2. With all that covered
I'd hazard a guess that your nicely tidied up iptables are preventing access to
anything you're not paying attention to.

Every item you add to this hardening checklist makes your system much less of a
target. First it has less of a signature on a perp's someisp.addresses.com
sweep, and second, once it's found there are less and less available options for
intrusion.

So instead of doing nothing because someone can always infiltrate your system, do
a few somethings so it raises the bar against whomever tries.

Those dozen doors are great for a shopping mall, but bad for a classified room.

-d

text/x-vcard attachment: Card for David Ford

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Ford: "Re: XMMS not working on 2.4.0-test11-pre7"
Previous message: dalecki: "Re: [PATCH] megaraid driver update for 2.4.0-test10"
In reply to: Christer Weinigel: "Re: BTTV detection broken in 2.4.0-test11-pre5"
Next in thread: Ben Ford: "Re: BTTV detection broken in 2.4.0-test11-pre5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Nov 23 2000 - 21:00:17 EST