LinuxQuestions.org
Page 3 of 3 12 3
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Help analyzing hackers transcripts (https://www.linuxquestions.org/questions/linux-security-4/help-analyzing-hackers-transcripts-648613/)

slimm609 07-09-2008 07:56 AM
http://secunia.com/graph/?type=sol&p...2008&prod=2719

this graph is from 2008 and shows the patched and unpatched vulnerabilites for the 2.6 kernel. 10% unpatched

The kernel along is >6 million lines of code. You can try and validate the kernel all you want but you are not going to have 6 million lines of code bug free. It will never happen seeing as they modify on an average of 8000 lines of code a day and from 2.6.24 to 2.6.25 it was 300k+ lines of code changed and thats only the kernel.

http://secunia.com/graph/?type=fro&p...2008&prod=2719
this shows that 20% of the vulnerabilities for 2.6.X are remote.

The point is no matter how much you try there is no 100% secure method. I use sidewinder G2 firewalls at work. A $60,000 firewall. We still have attacks from time to time and they do NAT! Yes your little linksys router does help but it not a brick wall. If traffic goes out it can come back in. It is possible to own an entire network with a single email. I know because i have seen it done.

and jiml How do you know no one has ever come close. Like i said if they are good you would never know.

Tinkster 07-09-2008 01:30 PM
Quote:
Originally Posted by jiml8 (Post 3208408)
Certainly a NAT router won't protect from SQL injects or cross-site scripting. It does provide some significant protection against buffer overruns.
How? Walk me through that, please? NATing knows nothing
about the receiving end of a network connection, it rewrites
headers, maintains state and doesn't touch the payload of
a packet (unless maybe it's some grotty M$ implementation
and you've been had in the first place).



I won't even go into trying to argue against the idea
that the many eyes isn't quite doing it because there's
always patches to software in use outside the lab; you
don't want to see it - don't look. But that's only your
problem (exclusively) as long as you haven't been had.



Cheers,
Tink

chort 07-10-2008 12:12 AM
a) NAT doesn't protect a service that you are allowing through any way. Running a web server that's open to the outside? NAT does squat. All NAT "protects" is unsecured local-only services. Great, so your NFS/CIFS server won't get owned, whatever... You're still vulnerable to SQL injects, PHP remote includes, Apache module buffer overflows, BIND cache poisoning, FTP bounce attacks, ssh brute-forcing, blah blah blah blah blah. NAT is not "security", it's simply a crutch to prop up the starved IPv4 address space.

b) Many eyes? Three words: Debian, Entropy, Generation. How long was that gaping vulnerability in existence before someone noticed? I do believe it was over a year. Get real, you can't rely on "many eyes" to keep you safe at night.

Mr. C. 07-10-2008 12:43 AM
This is a pretty funny thread.

Sometimes I think:

Code:
security = skill^2 + knowledge^3 + luck^20

nx5000 07-10-2008 05:31 AM
Quote:
Originally Posted by chort (Post 3209591)

b) Many eyes? Three words: Debian, Entropy, Generation. How long was that gaping vulnerability in existence before someone noticed? I do believe it was over a year. Get real, you can't rely on "many eyes" to keep you safe at night.
Or the latest DNS flaw..

chort 07-10-2008 08:21 AM
Quote:
Originally Posted by nx5000 (Post 3209872)
Or the latest DNS flaw..
Yep, I thought of that one right after I posted! This has been a flaw since DNS was invented! It took Dan Kaminksy, who is an extraordinarily talented hacker, a looooooooong time to realize this flaw, and he's been messing with DNS for years. It's absolutely amazing that something like this was around for so long.


All times are GMT -5. The time now is 08:41 PM.
Page 3 of 3 12 3
Show 50 post(s) from this thread on one page