From owner-freebsd-advocacy@FreeBSD.ORG Thu Dec 4 10:51:52 2003 Return-Path: Delivered-To: freebsd-advocacy@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE00616A4CE for ; Thu, 4 Dec 2003 10:51:52 -0800 (PST) Received: from lilzmailso01.liwest.at (lilzmailso01.liwest.at [212.33.55.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C12343F93 for ; Thu, 4 Dec 2003 10:51:51 -0800 (PST) (envelope-from dgw@liwest.at) Received: from [212.33.58.27] (helo=cm58-27.liwest.at) by lilzmailso01.liwest.at with esmtp (Exim 4.24) id 1ARyZl-0003Ad-JK; Thu, 04 Dec 2003 19:51:45 +0100 From: Daniela To: Mike Hoskins Date: Thu, 4 Dec 2003 19:46:58 +0000 User-Agent: KMail/1.5.3 References: <002b01c3b99e$a1dc3340$6c01a8c0@MITERDOMAIN> <3FCDED20.8050508@centtech.com> <3FCE7EB5.8060409@adept.org> In-Reply-To: <3FCE7EB5.8060409@adept.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200312041946.58465.dgw@liwest.at> cc: advocacy@freebsd.org Subject: Re: uptime 4.0 X-BeenThere: freebsd-advocacy@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Evangelism List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Dec 2003 18:51:52 -0000 On Thursday 04 December 2003 00:24, Mike Hoskins wrote: > Eric Anderson wrote: > > Just curious, but, has anyone ever heard of a firewall? I typically > > defense in depth. security is multi-layered like an onion, or so people > have been touting for the last decade, so you keep systems up to date > and pay attention to host security as part of defense in depth... even > when you have a firewall. > > bridges pass packets. if you assume a device passing packets (even when > the device is "inaccessable" as defined in this thread) never needs > patched... you are probably relatively safe, but you are not really > "correct". bugs may occur and patches may be necessary that affect the > bridging code itself, no? of course. again, the best way to make this > issue moot is to get a working patch mechanism that doesn't require a > reboot. talk about a HA pipe dream! I tried to patch a running kernel once. You have to look for areas of the kernel memory that are not often accessed, where you can start writing your code to direct the kernel not to access further areas. This way you suspend the kernel step by step until you have a system that can just write to memory and not more. Of course you need to double and triple check the offsets. I wasn't so careful here, so I didn't succeed. I'm normally not such a terrible admin, but I'm young and I like playing with low-level stuff, and the machine doesn't do mission-critical things. BTW I had 18 days uptime at this point. Because of the error I made, I had to reboot. Never had more than 18 days until now, arrrgh! > > I just think that "large uptime = bad admin" is a pretty shallow and > > > > close minded way to stereotype people based on how long a machine has > > been powered on without a reboot. Nobody said "1200 days without a > > security patch! woohoo!".. > > stereotypes never work. if you have good technical reasoning for what > you're doing, great. i think some people are just a little more "anal" > about security -- probably the same people getting paid to do security > stuff where they work. ;) > > peace. > > _______________________________________________ > freebsd-advocacy@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-advocacy > To unsubscribe, send any mail to "freebsd-advocacy-unsubscribe@freebsd.org"