Gentoo desktop?

Anthony de Boer adb-tlug-AbAJl/g/NLXk1uMJSBkQmQ at public.gmane.org
Fri Jan 18 05:17:41 UTC 2008


Christopher Browne wrote:
> On Jan 14, 2008 5:07 PM, Anthony de Boer <adb-tlug-AbAJl/g/NLXk1uMJSBkQmQ at public.gmane.org> wrote:
> > One of the early firewall publications (the FWTK manual, if I recall)
> > had a cartoon of a worried-looking sysadmin with the caption "I'm
> > paranoid.  But am I paranoid _enough_?"  That's the sort of work I've
> > done over the past number of years, with firewalling and host security
> > and application robustness and storage redundancy/backups.  (Is anyone
> > hiring?!?)
> 
> The fact that you may watch a wave of lines like the following go
> across your screen is *NOT* paranoid action that helps security.
> 
> gcc -O7  ${MOREFLAGDETERIORATA} -c some_file.c

Oh heavens no, I don't sit staring spellbound at builds.  Those are for
running in the background while I catch up on mail or news or whatever
else, or go for a coffee and maybe interact with a human being.

> You may *imagine* that you are avoiding some security problems, but in
> reality, you're not, not unless you are scrutinizing every bit of code
> that gets compiled.
> 
> It still is not enough even if you *are* scrutinizing the code.
> 
> Ken Thompson documented this nicely in his famous paper:
> http://cm.bell-labs.com/who/ken/trust.html

Yes, I read that quite a few years ago.

Mostly I'm looking at the overview of how things work, delving into
details here and there, and such.

There's no way anyone is going to be able to read all of the code in a
modern system.  You have to prioritize your time, and cover what you can
in the ongoing work to keep systems running properly on the Internet.

Following the more useful security-related mailing lists is good for
staying on top of the issues currently affecting people.

I also find it useful to do belt-and-suspenders deployments, making sure
I can point at more than one thing that ought not go wrong, each being in
place in case the other gets broken.  Rather than simply saying "this is
well-written code" I still like to chroot, firewall, run it on a separate
machine, or otherwise isolate it from the rest of my data.  And a lot of
times the Powers That Be mandate running something that doesn't have a
stellar security record, and you have to do what you can to make it
harder to break and to detect and contain the inevitable problem.

Meanwhile, this Gentoo box I'm running for my home system is more like a
Meccano set than the nicely-welded-together thing that a binary distro
would be; it makes it easier to pull stuff apart and see what's
underneath.  I use it to evaluate things that look to be useful new
technologies, trying to use my home net as a testbed for things I'd like
to have some informed opinions about, and experience deploying.

-- 
Anthony de Boer
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list