lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <169635332.1064787610@[192.168.2.119]>
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Re: Pudent default security

--On Sunday, September 28, 2003 10:20 PM -0400 "security@...enik.com" 
<security@...enik.com> wrote:

> I would add yet another take on this.
>
[sniipped a lot of good thinking]
>
> I think that the problem is not the protocol or the application. It is a
> fundamental lack of understanding of the security model and the network
> as a whole.
>
Yes, that is what I was trying to say, however lamely.  The preponderance 
of discussions and papers on security today focus on the network and how to 
control the flow of data/packets.  But in the final analysis, the problems 
always come down to the individual machine, be it server or workstation. 
Why aren't security ideas focusing on that problem primarily?  Oh, we all 
know you shouldn't run unnecessary services, but that's about as far as the 
wisdom goes.

SANS has made some efforts in this area with their best practices 
documents, but where is the software development to address it?  The 
Bastille is about the only thing I can think of off the top of my head that 
even attempts to address this area.  The OS vendors are beginning to come 
around to the off-by-default model (slowly), but protecting what *must* be 
on (such as CIFS, SMB, NFS) is still a laborious (or outrageously 
expensive) process when you're trying to do it on an enterprise level.

IMO the vendors should be providing these types of tools as an integral 
part of the OS in addition to shipping in an off-by-default model.  It 
should be trivial to "do security" in an OS.  (It still blows my mind that 
every WinXP box comes with UPnP on by default.  RPC I can *almost* 
understand, but UPnP???)  I'm saying we need a paradigm shift in *thinking* 
about how an OS should be configured out of the box *and* a paradigm shift 
in the ease of configuration on an enterprise level.

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ