lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1167005250.5050.53.camel@k7.khidr.net>
Date: Mon, 25 Dec 2006 01:07:30 +0100
From: Michael Zimmermann <zim@...aa.de>
To: Brian Eaton <eaton.lists@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, websecurity@...appsec.org
Subject: Re: comparing information security to
	other	industries

Hi Brian,

you answer from the viewpoint of somebody engaged in 
modern 'computer security'. But with the phrase 
"at large" I was meaning a more global view:

Two thirds of the PCs are estimated to contain
malware. We are so used to receive all kinds of
virusses, worms and trojans, that we NEED antivirus 
scanners and firewalls. Those defences are like
medicine, which you MUSt take - and the more medicine
you have to take, the more ill you are.

In the early 1980ies it was _unthinkable_ that a 
program would run on your systems, which you 
wouldn't know it existed and had installed for 
yourself. Nowadays it's the rare exception, when
a user knows what is running on his PC (and a
professional system admin, who knows every program
executing on his machine is also a rare thing, 
I think).

Complexity has grown, but our basic security
structures in hardware and software have have not.
Unix/Linux security is based on the classic Unix 
design (was it 1974 when it was published?), DOS
security is an unborn child while Windows security 
is not better than than of Linux. 

Why?

The Intel hardware for PCs was chosen on the basis 
of marketing thinking and not because it was 
technically better than it's alternative - nothing 
to say about security concerns. An executable stack
with decreasing addresses, unprotected memory and 
totally missing permission-scheme in the IBM PC and, 
and, and...

Marketing/money decision ruled the IT-Industry
since the first IBM PC was sold. Yet there have
existed better system- and hardware-designs
even before the IBM PC. Just to name two:
Motorola processors or the Multics OS.

Brian, IMO your argumentation is not a solution
to improve over-all security but is symptomatic 
for the lack of it.

A lot of patch-work and no broadly accepted
security concept. Only during the last years
that situation is changing slowly - but not
yet in the Windows realm. But a functioning 
PC security is needed IMO, at least I don't
want to live with a net, where hundred-
thousands of zombies can bring my server
down any moment or flood my MTA daily with
thousands of crap-email. These daily fights
may create a sort of dynamice equilibrium,
but are not what I call "security" or "stability".


Greetings
Michael

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ