lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Paul Schmehl)
Subject: SQL Slammer - lessons learned

On Thu, 2003-02-06 at 06:32, John.Airey@...b.org.uk wrote:
> 
> We've drifted from my original point, that ports used dynamically by IP
> stacks should be distinct from service ports, so that ISPs or administrator
> CAN block them without impacting the end user if they so wish. At the minute
> we need stateful filtering to rescue us from the port allocation mess we are
> in. SQL Slammer was only as successful as it was because stateful filtering
> isn't widespread, ie this one got past many administrators of large networks
> who are already careful about which services are publicly available.
> 
> Given the choice between controlling traffic at the border or keeping
> thousands of "non-public" machines up to date, I know which I'd choose.
> 
I think Slammer has pointed one of the biggest problems with security
today - hard shell on the outside, soft chewy middle.  Any time I get
involved in discussions about security philosophy, it always seems to
drift to how to keep the bad guys out.  Well, at a university, the bad
guys are *inside*.  They're learning programming, networks, algorithmic
theories, security principles, etc, etc, and they're *very* eager to try
it out.

For example, everybody gets really concerned about wireless network. 
OMG, what are we going to do?  WEP just isn't good enough.  Well WEP is
a darn sight better than the plain text traffic on the hard wired
network.  Why aren't we freaking out about that?  I contend it's because
everyone (big generalization here) sees the wired network as "secure". 
I mean who's going to tap in to that, right?  WRONG!!!

When I think about securing something, I think about securing it from
*everybody*, outside *and* inside the network.  But that isn't the
present focus of the security industry *in general*.

-- 
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ