| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: madscientist at wyoming.com (Philip Stortz) Subject: Odd Behavior - Windows Messenger Service i would tend to agree, at least on machines that aren't meant to be servers. i'd also suggest that all users, including automatic processes should be authenticated by login etc. and further that "sensitive" information, like payroll and employees other personal information should be stored properly encrypted (i.e. not rot-13 or xor with a 2 byte string...) and access to those databases should be limited to employees with a legitimate "need to know" i.e. payroll people and personnel people who should also have to log in, and should be auto logged out after a relatively short period. ideally, there really should also be a log of at least who logged into what database when, and a human should bother to look at it occasionally. i know none of this is likely even at most large businesses, and is less important at a small business (i've worked at several companies where everyone pretty much knew what everyone made, how long they worked etc., and where all were trusted enough not to worry about who knew where you lived, or they wouldn't have been at said companies long). it's unfortunate that market forces are driving things towards fuller, easier integration and access with little or no regard for security or privacy. personally, i don't want a refrigerator and stove hooked up to the net and ordering groceries for me, even if i bought my groceries online. and i don't want my cd player or radio broadcasting what kind of music i've been listening to so columbia house can tailor their sales pitch. i certainly don't want stores to read my retinal scan and recognize me/target me for sales pitches when i walk in (i.e., "minority report", i also really don't want dynamic newspapers or cereal boxes....but i'm sure i'll have to put up with them at some point). easy integration, particularly automatic integration is a dangerous thing, even with current spy-ware, much less the "clever" things advertisers will come up with. then again, i derive nearly zero value from most advertising, but some say that's why there's so m uch...... important business systems and databases need better protection, default and otherwise. when it's set up this winter, my home network will use static ip's for machines, it's easier and not that hard to keep track of on a small system and allows a much higher level of security control if necessary (assuming of course that spoofing isn't trivial, which it sometimes is i know). oh, and one more rant, CAN PEOPLE PLEASE, PLEASE TRIM THEIR' QUOTES! AND MAYBE POST ONLY PLAIN TEXT OR ONLY PLAIN TEXT AND HTML, WE REALLY DON'T NEED JPGS AND BINARY STREAMS! at least we don't need binary streams unless it's a virus, in which case it of course shouldn't be a binary octet application stream (if i have that mime type correct). at least don't quote people's jpg's and other verbose garbage. the point of quoting messages is to refresh the readers memory, not create a digest of the entire discussion. that's also why i bottom quote, it's only for reference/orientation. > Jay Sulzberger <jays@...ix.com> ----------- > Out of the box, the default should be that no network services are started > at boot without human command transmitted via local hardware. This may be > seen from even the first, even the most crude and blunt, cost benefit > analysis. > > oo--JS. -- "Where a calculator on the ENIAC is equipped with 18,000 vacuum tubes and weighs 30 tons, computers in the future by the year 2000, may have only 1,000 vacuum tubes and weigh only 1.5 tons" Popular Mechanics, March 1949
Powered by blists - more mailing lists