lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110224162422.GF4876@ownco.net>
Date: Thu, 24 Feb 2011 11:24:22 -0500
From: jf <jf@...co.net>
To: Paul Schmehl <pschmehl_lists@...rr.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: What the f*** is going on?

> "Doing security" really isn't that hard.  Behind all the fancy appliances 
> and gee-whiz technology, the underlying principle is, don't unnecessarily 
> expose your assets to attack.

eyeroll, thanks for the clarification.

 
> This boils down to a few simple things:
> 1) Don't allow users to create simple passwords.
> 2) Don't allow admins to forego routine patching
> 3) Don't allow poor configuration of applications
> 4) Don't allow services that aren't vetted and authorized

to think I wasted all this money on SANS...

(how come no one ever points out that rate-limiting failed logins is probably more important than password complexity?)
 
> Those four simple rules will go a long way toward reducing your attack 
> surface enough that the "routine" "hackers" will move on to easier targets. 
> Depending upon your infrastructure, some of this can be automated, but the 
> bottom line for good security is auditing.  Know what your assets are. 
> Know what the weaknesses are.  Do everything you can do to avoid 
> unnecessary exposure.
> You're not going to stop a determined adversary from getting in.  There is 
> always a weakness somewhere that can be leveraged to gain further access. 
> But if you forgo routine patching, allow lousy passwords, allow poor 
> configuration practices and run services that aren't vetted and authorized, 
> then, well, you're an HBGary clone..

Okay, I think I got it, doing security is not hard, duh! You should listen to me, but hey, youre still gonna get owned, but really... this security stuff is e-z.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ