lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0711021024360.8260-100000@ns2.drsolly.com>
Date: Fri, 2 Nov 2007 10:33:22 +0000 (GMT)
From: Drsolly <drsollyp@...olly.com>
To: Gadi Evron <ge@...uxbox.org>
Cc: botnets@...testar.linuxbox.org, "Roger A. Grimes" <roger@...neretcs.com>,
	funsec@...uxbox.org, Alex Eckelberry <AlexE@...belt-software.com>,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: [funsec] the heart of the problem [was: RE:
	mac trojan in-the-wild]

> Things are in fact FUBAR. We need new ideas and new solutions as honestly, 
> although we want to feel we make a difference by taking care of this or 
> that malware or this and that C&C we are powerless and have not made a 
> real difference in the past 6 years while things got worse.
> 
> We need new solutions and new ideas, and would be more than happy to have 
> new people exploring operational security.

My new idea is a computer that cannot have new software installed on it by 
the user, or by someone logging in as root, or in any other way, other 
than by physical replacement of the OS medium.

My first proposal was Grannyx, which I proposed a couple of years ago. No 
work has been done on this, because none of the people who think it's a 
good idea, have the time to make it happen. The OS is on a CD Rom, and the 
medium on which data is stored, is unable to run software.
 
> The current state of Internet security is you get slapped -- BAM! -- and 
> you write an analysis about it. (when speaking at ISOI I actually slapped 
> myself -- HARD -- when I said it on stage, not a good idea for future 
> reference).

A better analogy might be "you see someone else being tapped gently on the 
wrist", which explains why no-one does much to stop it happening in future.

> Well, we can't choose the risks. They choose us. Sometimes they are cool, 
> sometimes they're not.

Well, we can choose the risks, actually. Having chosen the risk, you can't 
choose the outcome. But we do choose the risks. 

For example, I climbed a tree yesterday. The outcome was good (it might 
not have been), but *I* chose the risk.
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ