[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Pudent default security

To: Paul Schmehl <pauls@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Re: Pudent default security
From: Jay Sulzberger <jays@xxxxxxxxx>
Date: Mon, 29 Sep 2003 00:07:06 -0400 (EDT)


On Sun, 28 Sep 2003, Paul Schmehl wrote:

> --On Sunday, September 28, 2003 10:20 PM -0400 "security@xxxxxxxxxxx"
> <security@xxxxxxxxxxx> wrote:
>
> > I would add yet another take on this.
> >
> [sniipped a lot of good thinking]
> >
> > I think that the problem is not the protocol or the application. It is a
> > fundamental lack of understanding of the security model and the network
> > as a whole.
> >
> Yes, that is what I was trying to say, however lamely.  The preponderance
> of discussions and papers on security today focus on the network and how to
> control the flow of data/packets.  But in the final analysis, the problems
> always come down to the individual machine, be it server or workstation.
> Why aren't security ideas focusing on that problem primarily?  Oh, we all
> know you shouldn't run unnecessary services, but that's about as far as the
> wisdom goes.
>
> SANS has made some efforts in this area with their best practices
> documents, but where is the software development to address it?  The
> Bastille is about the only thing I can think of off the top of my head that
> even attempts to address this area.  The OS vendors are beginning to come
> around to the off-by-default model (slowly), but protecting what *must* be
> on (such as CIFS, SMB, NFS) is still a laborious (or outrageously
> expensive) process when you're trying to do it on an enterprise level.
>
> IMO the vendors should be providing these types of tools as an integral
> part of the OS in addition to shipping in an off-by-default model.  It
> should be trivial to "do security" in an OS.  (It still blows my mind that
> every WinXP box comes with UPnP on by default.  RPC I can *almost*
> understand, but UPnP???)  I'm saying we need a paradigm shift in *thinking*
> about how an OS should be configured out of the box *and* a paradigm shift
> in the ease of configuration on an enterprise level.
>
> Paul Schmehl (pauls@xxxxxxxxxxxx)

Many computer programs are today:

1. unconscious

2. promiscuous

3. incontinent

4. unsupervised

Most programs should be:

1. somewhat self-aware

2. almost chaste and quite delicate in their affections

3. tight-sphinctered

4. well supervised by programs with the power to detect and suppress bad 
behavior

oo--JS.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: Pudent default security
  - From: Ed Carp

References:
- RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Rick Kingslan
- RE: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Curt Purdy
- Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Florian Weimer
- Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Karl DeBisschop
- Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Paul Schmehl
- Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
  - From: Michal Zalewski
- [Full-Disclosure] Pudent default security - Was: CyberInsecurity: The cost of Monopoly
  - From: security@xxxxxxxxxxx
- [Full-Disclosure] Re: Pudent default security
  - From: Paul Schmehl

Prev by Date: [Full-Disclosure] Re: Pudent default security
Next by Date: Re: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly
Previous by thread: [Full-Disclosure] Re: Pudent default security
Next by thread: Re: [Full-Disclosure] Re: Pudent default security
Index(es):
- Date
- Thread