| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <04Mar30.085026cest.118366@fd.hif.hu> From: adam at hif.hu (Szilveszter Adam) Subject: Re: Microsoft Coding / National Security Risk madsaxon wrote: > The US military is considerably more rigorous than the civilian > government in this regard, but even then there are systems which > have slipped through the cracks. Evidence for this is the fact that > Web defacement mirrors still occasionally contain both .gov and > .mil entries. Not to rain on your parade, but public web site defacements in the gov sector certainly show very little of the state of internal network security. Nowadays public web servers are often outsourced to a colo facility, and are not very much locked down either, since these are often not the same systems that provide the intranet services that the organisation depends on. While having a breach on your public web servers doesn't look nice, it's mostly not critical either, you simply take the server off the net and rebuild it when you have time. After all, it is more for information of the public than for anything else: nice to have, but nothing breaks if it doesn't work. Therefore the costs of locking it down may outweigh the possible cost of compromise. It is like saying: since there is graffiti on the walls of the police station, the police force sucks. I'd rather they went after the more serious offenses instead of making sure that nobody can spray their walls. Regards: Sz.
Powered by blists - more mailing lists