Re: considerations about exploits tricks

[PCSC Information Services <info () pcsage biz>]

Hi opexoc et al,

One thing to be considered when designing your systems for security is  
that 'Security is a process, not a destination' It's been argued that  
the only secure computer is the one that's at the bottom of the ocean  
with no power available. I would hazard that with this in mind, there  
is never the possibility of 'winning' the battle, only consistent  
successful defense of the perimeter.

Successful security is consistent, but to arrive at this level of  
consistency requires constant vigilance. It would never do to rest on  
ones laurels and say 'We've arrived and we're secure.' as that  
'Maginot Line' of thinking would only be circumvented by shifting the  
vector of attack (as the Maginot defense proved)

If you are in charge of security for your organization, it's critical  
to have frank discussion about the ongoing security requirements of  
your systems, and to ensure that policy is in place to monitor, and  
adjust your security processes as software and systems evolve. Even  
more critical is that the budget and human-power is adequately  
provided for through the policy so as to ensure that these evolving  
security threats are met with the appropriate response. Attackers are  
never standing still, and neither should the vigilant security expert.

Best,

Sean Swayze

On 3-Nov-07, at 7:36 PM, opexoc () gmail com wrote:

> Hello,
>
> I wonder about security holes which are still present in our OS,  
> which let attackers take over control. I have heard about PAX  
> system, ProPolice and other, which in consolidation should well  
> defend system against attacks like buffer overflow. Is it not  
> enough? Can't we really win the battle against buffer overflow and  
> heap overflow?
>
> opexoc