[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind

Glenn:
Not to take issue with the performance of encryption, but 
what good is performance when it's all spent processing spam, malware, trojans, 
spyware and all the other cr*p that downloads.
Even things like spybot, zone alarm etc. do not  prevent any
of the junk that gets loaded thru mail and port 80, plus any other 
vulnerabilities that continually open up.

I would gladly take performance hits for reliability and the
end of endless spam, vuls, and spyware that constantly attach to  my clients as 
well as myself.  

Anyone in the real world knows how impossible it is to totally
lock down a large commercial network.  To do business you need to open at least 
one window to the hellish nightmare of the internet.  Plus router, firewall, 
switch, modem, atm endless list of vulnerable systems... It is a never ending 
battle, and for the most part the white Hats are losing.  So what is the 
alternative?

Go to a totally secure network computing system like the military?

It seems we may have no choice.



Jan Clairmont
Firewall Administrator/Consultant
----------Original Message-----
From: Glenn_Everhart@xxxxxxxxxxx [mailto:Glenn_Everhart@xxxxxxxxxxx]
Sent: Thursday, August 19, 2004 10:53 AM
To: Clairmont, Jan M
Subject: RE: [Full-Disclosure] RE: [Full-Disclosure]MS should re-write
code with security in mind


Encryption is one scheme that gives access control. It is one of the more
expensive alternatives out there for this, and people using it often get the
key management wrong and vitiate their entire efforts while sweeping the
problems under the rug.

When I invented the cryptodisk back in the late 70s I noticed the first
version (using a DES algorithm) would allow the processor either to be
doing useful work, or encrypting/decrypting disk. I therefore added a much
weaker but faster algorithm as an alternative (for more benign environments)
that at least permitted both.

Machines today are much more capable, but overdone encryption is still capable
of eating serious amounts of their performance.

Glenn Everhart


-----Original Message-----
From: full-disclosure-admin@xxxxxxxxxxxxxxxx
[mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx]On Behalf Of Clairmont,
Jan M
Sent: Wednesday, August 18, 2004 2:01 PM
To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code
with security in mind



M$ should just bite the bullet and re-write windows with 
security in mind, give it a true process scheduler, multi-user
with windows as a client server processes.  Build in 256 bit encryption and 
secure communications between processes and external communication with no 
unencrypted traffic.  That would shut down a lot of these mindless security 
leaks.  All mail should be encrypted and point-to-point, with the mail servers 
only able to re-direct and broadcast mail with authentication.   Maybe we could 
slow a lot of  the hacking down  and spam.  But again until the market place 
demands it M$, Linux and everybody else it's business as usual.

Keeps us employed I guess.

Jan Clairmont
Firewall Administrator/Consultant

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


**********************************************************************
This transmission may contain information that is privileged, confidential 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
STRICTLY PROHIBITED. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format. Thank you
**********************************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html