Full Disclosure mailing list archives
Re: CyberInsecurity: The cost of Monopoly
From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 28 Sep 2003 12:20:28 -0500
--On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop <kdebisschop () alert infoplease com> wrote:
I don't think "we" as a "security community" have even begun to tackle this problem. We talk about it, but who is *really* doing it? For example, if you want to network machines you *have* to use SMB/NetBIOS for Windows, NFS for Unix, CIFS, or something similar. Who is really looking at how to be secure while still allowing internal machines to talk to each other? Certainly none of the above protocols qualify as secure.Crunchy shell, soft-chewy insides?
When a machine is problematic, for whatever reason, the usual reaction is "block it at the firewall". But that doesn't protect that machine from *other* internal machines. It only protects it from the outside. Oh, you might have a firewall that cordons off accounting from the rest of the enterprise, but *inside* accounting, you still have the "soft, chewy" problem.
I haven't really seen anything that addresses this problem, and I'm not aware of anyone who is working on solving it. For the most part security thinking is still in the middle ages - build a castle with moats and outer defensive rings, and staggered entrances to make it hard for the enemy to get it. Once he gets in, what does current security thinking offer? Not much.
What we need is a paradigm shift in thinking. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: CyberInsecurity: The cost of Monopoly, (continued)
- Re: CyberInsecurity: The cost of Monopoly Gregory A. Gilliss (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Peter Busser (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Fabio Gomes de Souza (Sep 28)
- RE: CyberInsecurity: The cost of Monopoly Chris Stewart (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly *Hobbit* (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Karl DeBisschop (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Pudent default security - Was: CyberInsecurity: The cost of Monopoly security () brvenik com (Sep 28)
- Re: Pudent default security Paul Schmehl (Sep 28)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)