From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1KVwPl-0002nv-JG for garchives@archives.gentoo.org; Wed, 20 Aug 2008 22:44:29 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 18B61E02CD; Wed, 20 Aug 2008 22:44:28 +0000 (UTC) Received: from gv-out-0910.google.com (gv-out-0910.google.com [216.239.58.188]) by pigeon.gentoo.org (Postfix) with ESMTP id AF1C1E02CD for ; Wed, 20 Aug 2008 22:44:27 +0000 (UTC) Received: by gv-out-0910.google.com with SMTP id n8so88337gve.39 for ; Wed, 20 Aug 2008 15:44:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=C7nn01MoeeZKqD07PLmHp/qRnJR0/3cfIw1oQjGZOc8=; b=Aj4fEd5gDsmdG7nMpL+WE/REpfod53gwMsFBhvqSHFOkDiD0y7G9XNtfOlRd4IcQuR NNtUBlqnSjyBwzp1HioVLYHaif0EAbVBqDSu2TrXOXEDXWkURAr9HlYcwdr90CFf0on0 oK44I9Z48dcM/BPHCKoevVfpk0ceBEOf7ywkc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=qRvMksLJxBx0J1xyqAWzEUOa8LBn8HU+pVV3h1JdPHV6Vl83Y+cSkkPXkbvlQwAJpm 6CNiAfRTsuH5aC9RLWv2HIEgeiGg9jw1B15SPRo4UN3VL2BO8YCXDNS5bWOCF9IT/izk DN7mUwIcl12BcI1TLTdplwdVUkr5lNCOu+L6c= Received: by 10.103.192.2 with SMTP id u2mr477086mup.45.1219272266569; Wed, 20 Aug 2008 15:44:26 -0700 (PDT) Received: by 10.103.212.6 with HTTP; Wed, 20 Aug 2008 15:44:26 -0700 (PDT) Message-ID: <897813410808201544y3e6e1ccaj74529a857bd9c3a2@mail.gmail.com> Date: Thu, 21 Aug 2008 00:44:26 +0200 From: "=?ISO-8859-1?Q?Javier_Mart=EDnez?=" To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Updates: a way too simplified security question I am asking anyway In-Reply-To: <200808202353.50243.janklodvan@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1217603370.1820.242.camel@liasis.inforead.com> <200808202114.57420.janklodvan@gmail.com> <4255c2570808201231k360aec7cs6ef19206a62dd095@mail.gmail.com> <200808202353.50243.janklodvan@gmail.com> X-Archives-Salt: 37d18fe4-b2e4-41db-ac19-407e50d55d5b X-Archives-Hash: 7b3b64211b3ab72f5e8dabe521ba680a Well, then neither GNU/Linux and OpenBSD are systems for you, since them both are not reliable since both are only a C2 systems by default under the orange book, maybe you should look for a system as CaprOS that reach to the A1 level and with other things has an exokernel (instead of an monolithic kernel as OpenBSD and Linux). Sorry but as I said you before, you can't make an OpenBSD trusted since it needs a B1 classification, and the B1 needs Mandatory Access Controls that doesn't exist in OpenBSD, at least in GNU/Linux we could reach to the B1, enough to mark it as "trusted Operating system". Conclussion: You will never find an secure from the box Operating system, you will have to work (hard) to assure it under yours needs, and for this you will need and MAC system. 2008/8/20, Jan Klod : > On Wednesday 20 August 2008 22:31:30 RB wrote: >> On Wed, Aug 20, 2008 at 12:14 PM, Jan Klod wrote: >> > No problem, we can cut it. > >> I'm not going to address each of the fallacies I see in your >> statements, but you have an exceedingly idealistic view of software >> development and particular OS' perceived security. [Insert project >> here] may have a slogan, but the developers are still human and thus >> still make mistakes and are inherently lazy. Short of being powered >> by unicorn farts, there is no way any reasonably complex system can >> approach that ideal. > [sorry, as you see, writing what I don't know much about] > In this light I was assuming, that file server is much less complex than = it > is. Give you my word to remember this when I write my next code :) > >> >> In regard to your philosophy of updates, do you build a wall and not >> defend it? Do you plant a garden and not water it? In the same >> light, no system can be "permanently" secured. Safes are rated by the >> amount of time it would take a dedicated, skilled cracker to open it; >> none are ever deemed uncrackable. If you want more time, you purchase >> [or build] one that better matches your needs. System security is no >> different. > Complexity matter again... Theoretically.. is it possible to enumerate al= l > the > possible scenarios for a file server? (or, I might have wrote - all of it= s > states) Oh, sure, it has finite amount of memory :) > Human problem. > Is easy to say "security", hard to give an action for all the possibiliti= es > (right action by our judgement)... > > I started this as a "flame", but the rest might go out of scope of this l= ist > and send me to theoretical computer science. > > Javier Mart=EDnez: > "control the execution of perl an python (between > others) scripts (in the way of perl blablabla.pl, which does not need > execution rights). You under this two frameworks you can do it. Can > you do this under OpenBSD ;)" > > Thanks, just you put me on my way, if I really need a reliable system, th= at > I > can get NOW AND HERE :) > >