Full Disclosure mailing list archives
Re: CyberInsecurity: The cost of Monopoly
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Sun, 28 Sep 2003 22:38:02 +0200 (CEST)
On Sun, 28 Sep 2003, Frank Knobbe wrote:
I think Paul's sentiment was that current efforts are focused on networks, IP addresses, firewalls, protocols, etc, basically focusing on the _transport_ of data. I think what we need are better mechanism to protect the _data_ itself, not just the transport/protocol of it.
The protection of data (information) involves far more than IT, and is more about procedures, policies, education, physical access control. On the computer level, we do not really have a way to approach the problem in an efficient and workable manner. There are many ways to make the environment trusted...
I'm not talking about Palladium crap, but more in the direction of more efficient ACL's,
...and yes, trusted computing, meta-tags and redesigned operating systems that focus on the pieces of information and can handle and oversee data flow processes are crucial for this. There is a catch, however - it works fine in a lab or in a high-security office, and not really in the real world - not yet, not anytime soon. So it's probably pointless to call for a revolution in this regard. My interpretation of what Paul said was that he referred to the problem of "blob networks" that cannot be held accountable and are often very difficult to control. This can be solved - sometimes, in some environments. There's no silver bullet, but it's not because we lack the technology or the knowledge, but because we can't bulldoze everything and start from scratch in a bank, telco, or any other company that has a very complex and critical network infrastructure, often designed back in the ages of net innocence.
RBAC, and finer system level control. We *can* harden the chewy insides by applying better controls.
That does not seem to have much to do with what you mentioned, control of the data. You still control the machine remaining blind to the information it handles. Besides, once again, it's all available. Some systems (most recent Linux, or, to a degree, even Windows) have extensive access control mechanisms that go beyond archaic root-and-user separation. The problems with deploying this usually originate from beyond the technology space, once again. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-09-28 22:27 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: CyberInsecurity: The cost of Monopoly, (continued)
- RE: CyberInsecurity: The cost of Monopoly Chris Stewart (Sep 26)
- RE: CyberInsecurity: The cost of Monopoly *Hobbit* (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Karl DeBisschop (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Pudent default security - Was: CyberInsecurity: The cost of Monopoly security () brvenik com (Sep 28)
- Re: Pudent default security Paul Schmehl (Sep 28)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Shannon Johnston (Sep 29)