Installing a compiler by default
Lee Revell
rlrevell at joe-job.com
Tue Jun 13 18:30:01 BST 2006
On Tue, 2006-06-13 at 13:09 -0400, Shawn McMahon wrote:
> On Tue, Jun 13, 2006 at 12:11:54PM -0400, Lee Revell said:
> >
> > Um, the attacker would have to be root already to replace libs or kernel
> > modules. You've already lost at that point. Game over, man.
>
> At this point it becomes a matter of time. If the attacker can
> immediately install his code, his advantage over you is increased. If,
> instead, he's got to hunt for the C compiler, conclude that it's
> missing, and go install one, you've created more time and more logged
> actions. Defense in depth, Lee; no one thing "stops them in their
> tracks". Every inconvenience for the attacker increases your security.
>
But security measures that do not increase security actually make the
system less secure, as it gives a false sense of security.
By your logic, security by obscurity is a valid defense.
Lee
More information about the sounder
mailing list