lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 02 Nov 2008 23:59:31 -0500
From: Valdis.Kletnieks@...edu
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Securing our computers?

On Sun, 02 Nov 2008 05:38:20 -0000, n3td3v said:
> does anyone have good ideas on how to secure our computers better?

Good ideas?  Those of us who have been doing this for decades have *plenty*
of those.

Good ideas that are both (a) practically deployable and (b) workable in
practice?  Those are in short supply.

Your long rant is just beginning to scratch the *surface* of the issues involved.

There's a very basic design problem:  People think they want their computers
to be generalized Von Neumann architectures, and resist attempts to give them
something that's more a Harvard architecture - go look at the debacle that
was WebTV for what happens when you try to give them a closed-box that's
no-user-modifiable-parts-inside by design.

It's *easy* to design an appliance that's reasonably secure.  Look at the
relative difficulty of hacking a Wii compared to hacking a Windows XP box.

What we *don't* know how to do is make a system that Joe Sixpack is allowed
to screw around with, and yet prevent security issues from happening.  The
only *real* solution here is to invent a better Joe Sixpack that's able to
understand that security should be more important than the neat screensaver
he just downloaded with no clue as to the code's provenance.

Unfortunately, the Joe Sixpacks tend to marry Jill Sixpacks, and reproduce.
Anybody who's read CM Kornbluth's "The Marching Morons" will immediately
recognize it as the *current* situation of most white hats.

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ