lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1064848560.18021.48.camel@TDT>
From: sjohnston at libertysite.com (Shannon Johnston)
Subject: Re: Pudent default security

There are vendors out there with secure-by-default solutions (EnGarde,
Openna, OpenBSD).

One of the largest problems I see is that the vendors distribute to
business needs, not security needs. In order to maintain market share,
you need to be able to sell something to the administrator who doesn't
know any better. If it works, most of the time, you can sell it.

Unfortunate, but true. 

Shannon Johnston 


On Sun, 2003-09-28 at 21:20, Paul Schmehl wrote:
> --On Sunday, September 28, 2003 10:20 PM -0400 "security@...enik.com" 
> <security@...enik.com> wrote:
> 
> > I would add yet another take on this.
> >
> [sniipped a lot of good thinking]
> >
> > I think that the problem is not the protocol or the application. It is a
> > fundamental lack of understanding of the security model and the network
> > as a whole.
> >
> Yes, that is what I was trying to say, however lamely.  The preponderance 
> of discussions and papers on security today focus on the network and how to 
> control the flow of data/packets.  But in the final analysis, the problems 
> always come down to the individual machine, be it server or workstation. 
> Why aren't security ideas focusing on that problem primarily?  Oh, we all 
> know you shouldn't run unnecessary services, but that's about as far as the 
> wisdom goes.
> 
> SANS has made some efforts in this area with their best practices 
> documents, but where is the software development to address it?  The 
> Bastille is about the only thing I can think of off the top of my head that 
> even attempts to address this area.  The OS vendors are beginning to come 
> around to the off-by-default model (slowly), but protecting what *must* be 
> on (such as CIFS, SMB, NFS) is still a laborious (or outrageously 
> expensive) process when you're trying to do it on an enterprise level.
> 
> IMO the vendors should be providing these types of tools as an integral 
> part of the OS in addition to shipping in an off-by-default model.  It 
> should be trivial to "do security" in an OS.  (It still blows my mind that 
> every WinXP box comes with UPnP on by default.  RPC I can *almost* 
> understand, but UPnP???)  I'm saying we need a paradigm shift in *thinking* 
> about how an OS should be configured out of the box *and* a paradigm shift 
> in the ease of configuration on an enterprise level.
> 
> Paul Schmehl (pauls@...allas.edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
-- 
Shannon Johnston <sjohnston@...ertysite.com>
Liberty Cavion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030929/cfa4cca3/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ