[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1167005250.5050.53.camel@k7.khidr.net>
Date: Mon, 25 Dec 2006 01:07:30 +0100
From: Michael Zimmermann <zim@...aa.de>
To: Brian Eaton <eaton.lists@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Subject: Re: comparing information security to
other industries
Hi Brian,
you answer from the viewpoint of somebody engaged in
modern 'computer security'. But with the phrase
"at large" I was meaning a more global view:
Two thirds of the PCs are estimated to contain
malware. We are so used to receive all kinds of
virusses, worms and trojans, that we NEED antivirus
scanners and firewalls. Those defences are like
medicine, which you MUSt take - and the more medicine
you have to take, the more ill you are.
In the early 1980ies it was _unthinkable_ that a
program would run on your systems, which you
wouldn't know it existed and had installed for
yourself. Nowadays it's the rare exception, when
a user knows what is running on his PC (and a
professional system admin, who knows every program
executing on his machine is also a rare thing,
I think).
Complexity has grown, but our basic security
structures in hardware and software have have not.
Unix/Linux security is based on the classic Unix
design (was it 1974 when it was published?), DOS
security is an unborn child while Windows security
is not better than than of Linux.
Why?
The Intel hardware for PCs was chosen on the basis
of marketing thinking and not because it was
technically better than it's alternative - nothing
to say about security concerns. An executable stack
with decreasing addresses, unprotected memory and
totally missing permission-scheme in the IBM PC and,
and, and...
Marketing/money decision ruled the IT-Industry
since the first IBM PC was sold. Yet there have
existed better system- and hardware-designs
even before the IBM PC. Just to name two:
Motorola processors or the Multics OS.
Brian, IMO your argumentation is not a solution
to improve over-all security but is symptomatic
for the lack of it.
A lot of patch-work and no broadly accepted
security concept. Only during the last years
that situation is changing slowly - but not
yet in the Windows realm. But a functioning
PC security is needed IMO, at least I don't
want to live with a net, where hundred-
thousands of zombies can bring my server
down any moment or flood my MTA daily with
thousands of crap-email. These daily fights
may create a sort of dynamice equilibrium,
but are not what I call "security" or "stability".
Greetings
Michael
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists