| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Jan 2010 20:26:07 +0100
From: Christian Sciberras <uuf6429@...il.com>
To: Bipin Gautam <bipin.gautam@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, "Densmore, Todd" <todd.densmore@...com>
Subject: Re: All China, All The Time
Bipin,
You're got your priorities wrong, and unfortunately many companies are
coming to the same conclusion.
The problem with security is fixing where is needed rather then shout out
"this product is secure" or "hardening".
What I'm talking about; Windows XP came with it's own Firewall, but please
note that it was a separate module (to an extent), not merged without C&C
inside the kernel, as security seems to be going today.
Indeed the worst enemy of security is complexity, and this shows, when you
get an OS which is inflexible and unusable without user input to make it
secure (Unix and now even Windows).
I consider this approach very wrong; you are mixing secure and insecure
processes, complicating matters, when actually there's only the need of one
single layer of tight security.
Same with browsers, there needs to be a security layer and companies need to
account for that layer, nothing more nor less.
My 2 cent.
Regards,
Christian Sciberras.
On Mon, Jan 18, 2010 at 8:14 PM, Bipin Gautam <bipin.gautam@...il.com>wrote:
> So, What is the cost of buying a fighter jet? What would be the cost
> of hardening windows (say) by default,straight out of Microsoft, with
> good defense in depth strategy (or least an ad-on)?
>
>
> ( Sometimes identifying your enemy is difficult than the battle itself
> and sometimes the battle exists within itself. )
>
>
> How accountable should vendor be when it comes to security?
>
>
> The problem with with Microsoft is, even if i want to give up
> flexibility and wish more security there is still no easy way out by
> default.
>
>
> An example, a case of a mainstream company, Microsoft:
>
> * seeks help from an agency who prioritize on "collection efforts"
> over the defensive to help "secure?" their software.
>
> * Give away early patches to selected clients (which also CLEARLY
> means giving away 0-days information early) and many critical bug
> fixes remains un-patched for months/year.
>
> * Only and promptly sell customized/hardened version of Windows to
> "selected clients".
>
> Also, a number of solutions that actually works[1] has export control.
>
> So, like nuclear inspection, i think maybe, there should be an
> inspection agency under UN to monitor international software/hardware
> makers and make sure "Total Paranoia Module" (TPM) can be accomplished
> globally via transparency in the software development life-cycle of
> ICT products with international inspections to review quality of every
> software and hardware that is in international consumption and make
> sure it survives the hostility and will live the bureaucracy of
> cyberspace before it hits the market.
>
>
> Reality, unless government steps in for total control and security of
> cyberspace, the private sectors are more on their own to protect their
> ends. We can only coordinate and try to police each-other and work for
> common-defense?
>
> The way i see it, if you see it simple, the solution is quiet simple,
> if you make it complicated, you are right!
>
> [1] www.baesystems.com/ProductsServices/bae_prod_csit_xtsstop7.html
>
> Also check,
> http://lists.menog.net/pipermail/itpolicy-np/2010-January/000540.html
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists