| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: sjohnston at libertysite.com (Shannon Johnston) Subject: Re: Pudent default security There are vendors out there with secure-by-default solutions (EnGarde, Openna, OpenBSD). One of the largest problems I see is that the vendors distribute to business needs, not security needs. In order to maintain market share, you need to be able to sell something to the administrator who doesn't know any better. If it works, most of the time, you can sell it. Unfortunate, but true. Shannon Johnston On Sun, 2003-09-28 at 21:20, Paul Schmehl wrote: > --On Sunday, September 28, 2003 10:20 PM -0400 "security@...enik.com" > <security@...enik.com> wrote: > > > I would add yet another take on this. > > > [sniipped a lot of good thinking] > > > > I think that the problem is not the protocol or the application. It is a > > fundamental lack of understanding of the security model and the network > > as a whole. > > > Yes, that is what I was trying to say, however lamely. The preponderance > of discussions and papers on security today focus on the network and how to > control the flow of data/packets. But in the final analysis, the problems > always come down to the individual machine, be it server or workstation. > Why aren't security ideas focusing on that problem primarily? Oh, we all > know you shouldn't run unnecessary services, but that's about as far as the > wisdom goes. > > SANS has made some efforts in this area with their best practices > documents, but where is the software development to address it? The > Bastille is about the only thing I can think of off the top of my head that > even attempts to address this area. The OS vendors are beginning to come > around to the off-by-default model (slowly), but protecting what *must* be > on (such as CIFS, SMB, NFS) is still a laborious (or outrageously > expensive) process when you're trying to do it on an enterprise level. > > IMO the vendors should be providing these types of tools as an integral > part of the OS in addition to shipping in an off-by-default model. It > should be trivial to "do security" in an OS. (It still blows my mind that > every WinXP box comes with UPnP on by default. RPC I can *almost* > understand, but UPnP???) I'm saying we need a paradigm shift in *thinking* > about how an OS should be configured out of the box *and* a paradigm shift > in the ease of configuration on an enterprise level. > > Paul Schmehl (pauls@...allas.edu) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Shannon Johnston <sjohnston@...ertysite.com> Liberty Cavion -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030929/cfa4cca3/attachment.bin
Powered by blists - more mailing lists