http://secunia.com/graph/?type=sol&p...2008&prod=2719
this graph is from 2008 and shows the patched and unpatched vulnerabilites for the 2.6 kernel. 10% unpatched The kernel along is >6 million lines of code. You can try and validate the kernel all you want but you are not going to have 6 million lines of code bug free. It will never happen seeing as they modify on an average of 8000 lines of code a day and from 2.6.24 to 2.6.25 it was 300k+ lines of code changed and thats only the kernel. http://secunia.com/graph/?type=fro&p...2008&prod=2719 this shows that 20% of the vulnerabilities for 2.6.X are remote. The point is no matter how much you try there is no 100% secure method. I use sidewinder G2 firewalls at work. A $60,000 firewall. We still have attacks from time to time and they do NAT! Yes your little linksys router does help but it not a brick wall. If traffic goes out it can come back in. It is possible to own an entire network with a single email. I know because i have seen it done. and jiml How do you know no one has ever come close. Like i said if they are good you would never know. |
Quote:
about the receiving end of a network connection, it rewrites headers, maintains state and doesn't touch the payload of a packet (unless maybe it's some grotty M$ implementation and you've been had in the first place). I won't even go into trying to argue against the idea that the many eyes isn't quite doing it because there's always patches to software in use outside the lab; you don't want to see it - don't look. But that's only your problem (exclusively) as long as you haven't been had. Cheers, Tink |
a) NAT doesn't protect a service that you are allowing through any way. Running a web server that's open to the outside? NAT does squat. All NAT "protects" is unsecured local-only services. Great, so your NFS/CIFS server won't get owned, whatever... You're still vulnerable to SQL injects, PHP remote includes, Apache module buffer overflows, BIND cache poisoning, FTP bounce attacks, ssh brute-forcing, blah blah blah blah blah. NAT is not "security", it's simply a crutch to prop up the starved IPv4 address space.
b) Many eyes? Three words: Debian, Entropy, Generation. How long was that gaping vulnerability in existence before someone noticed? I do believe it was over a year. Get real, you can't rely on "many eyes" to keep you safe at night. |
This is a pretty funny thread.
Sometimes I think: Code:
security = skill^2 + knowledge^3 + luck^20 |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 08:41 PM. |