lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: yossarian at planet.nl (yossarian)
Subject: [OFFTOPIC] Zone Alarm

Paul Schmehl wrote:

> Off course you're right.  My point, which I obviously made ineptly, is
> that *everything* must be patched at some point, so the idea that you
> install a DSL router and just forget about it was what I was trying to
> get at.  There *is* no panacea for security.  It's an ongoing,
> never-ending process of checking and rechecking and rechecking again to
> make sure that there aren't any known holes in your defenses.

An interesting idea could be a CD based embedded XP solution - gives the
windows lovers the interface and us BOFH's full control. Think about it -
make an image with the common apps, map data to drives as binary files, scan
on the server - which could also be an embedded thingie, and if you switch
it off - exit any attack that might be resident somewhere in the system.

Some or a lot of elaboration would probably be necessary, especially on H/W
support, but if all data is mapped to another host - the only approach being
through the memory of the embedded windoze - well, attacks would become a
lot harder. And it'd probably lower the TCO. I think this might be an idea
for SoHo, the second machine could be anything older connected thru a
non-routable protocol. Novell 3.12 - how too stage a tunnel from a
temporarily 0wned XP box with no execute from writeable area's?

Of course throwing in a zonealarm would be nice to keep the users alert on
the all the scanning. This probably would not work for home users, but if
they have to be able to connect to your corporate network, booting from a CD
with embedded, a sort of fingerprint for authentication - or use the
smartcard or whatever two-stage auth., data to be stored thru VPN on the
corporate server - if any - at least they can view their mail, and just
maybe write it to a floppy or USB thingie.... - so they can work at home on
their own messed up boxes without risking the precious corporate network.
Just give the home users a new CD every couple of weeks or months.

Just another approach to a part of this prob - and a lot less patching ....

yossarian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ