Which Red Hat?

J C Lawrence claw at kanga.nu
Mon Feb 17 17:51:33 PST 2003


On Mon, 17 Feb 2003 17:12:45 -0800 
Chuck Yerkes <chuck+baylisa at snew.com> wrote:

> Redhat advanced server is supposed to be the "enterprise edition" of
> RedHat.  It's supposed to be long and well supported and slower
> changing than Linuxes usually are.

Yeah, uhhhhuhh, sure.  RHAS is the one that shipped with GCC 2.96 -- the
unofficial GCC release that's both full of bugs with a different ABI to
both GCC 2,95 and GCC v3 -- and is targeted as the platform actively
supported by Oracle right?  The same Oracle whose OCCI libraries are
compiled with GCC 2.95 and thus can't be reliably linked against under
RHAS...?  The RHAS whose vendor (RH) replies to queries on these
subjects with, "Uhhhhhhh...", while Oracle replies with, "Uhhh, we're
not sure what compiler we used..." (despite the fact that its quite
clear to tell under nm).

Sorry, I had a sudden urge to vent there.  

> Usually, the best choice for a bastion's OS is one you are very
> familiar with.  More to the point, one you are NOT very familiar with,
> will not serve you well.

Sooth.

> And of course, you do the full gambit of setting up strong filtering
> on your router after the Firewall and have another router inside the
> firewall that ideally is from another company/different OS.  (Belts
> and suspenders).

I like making security equipment from atypical hardware platforms.
Sure, use a "standard" OS (*BSD, Linux, whatever), but run it on
something interesting.  Run it on Alpha, on MIPS, on PA-RISC, something
not x86.  If possible run something other than OEM OS on that hardware
(eg not-Solaris on SPARC, not-OSX on PPC, not-HP-UX on PA-RISC, etc).
The more you deviate from the base line, the more likely the canned
script kiddie scripts will fail.  Fail because the CPU instruction sets
are different, fail because the stack sizes or direction of stack growth
is off, fail because the heap semantics aren't the same, fail due to
different endianness, fail due to different word size...

Sure, it doesn't close the door on an exploit given a wily and
intelligent cracker, but it shuts down the vast majority of them who
beat me in a patch install, and I'm a big fan of anything which
increases cracker barrier to entry, especially when it doesn't cost me a
nickel (older non-x86 hardware is cheap).

-- 
J C Lawrence                
---------(*)                Satan, oscillate my metallic sonatas. 
claw at kanga.nu               He lived as a devil, eh?		  
http://www.kanga.nu/~claw/  Evil is a name of a foeman, as I live.



More information about the Baylisa mailing list