Full Disclosure mailing list archives
Re[6]: Response to comments on Security and Obscurity
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 2 Sep 2004 17:41:39 +0400
Dear James Tucker, --Thursday, September 2, 2004, 3:16:45 PM, you wrote to 3apa3a () security nnov ru:
Even more. This is very common scenario and this scenario must be covered by security policy. You either unfamiliar with this problem our your information is out of date.
JT> Security policies never "go out of date" and this scenario as you JT> agreed with me, is still common today. If it is still common then JT> please explain how is this "out of date"? Security policy is never our of date because it's reviewed on regular basis. It's your information about available solution that is out of date. JT> Even viri don't go "out of date", although many virus checkers JT> probably don't hold some of the really old DOS, amiga, apple and unix First, you constantly mess virii with worms and trojans. OK, lets think as you said "malware". If malware is out of date or not depends on protection method you use against it. If you use antivirus - OK. You're protected against known viruses and may be some future modifications of known viruses. This is very poor protection. A good protection is creating sandboxes on application, OS or hardware level. For example in a very simple case user can only run a signed application from allowed list most virii become out of date. In fact, a problem of virii is one of the largest and most expensive hoaxes. Antiviral program gives no protection. You can treat it as a kind of auditing tool which can alert you in a case of poor administration (you must sack your administrator if you catch virii on your internal network) and filter some junk mail on your mail server, like SPAM filter does. JT> virus definitions. As we have seen in another discussion on this JT> list there may well still be a risk of possible infection over JT> RS232, no mater how unlikely it is, I respect the author of that JT> question for asking about such possibilities. He was clearly trying JT> to cover all bases. I have different opinions on this question. I do not read this discussion because I know answer, even for the case there is no network protocol bound to port and no software service listening on it. I can point you to real life exploit with executing code directly from the port (of cause, if you want to learn this dirty exploitation things). See "Bonus" section in http://www.security.nnov.ru/search/document.asp?docid=6145 JT> I am aware of this, however follow the same scenario through to JT> fruition and you will find the CEO doesn't bother to take out his JT> smart card, at least for the first 6 months of having one. Education It means spending first 6 months without leaving a room for him, because he will not be able to leave the room without taking out his smart card. As far as I know human organism resources, you will need new CEO after one week if there is no water supply in the room. It must be really good test for CEO's IQ. JT> it would have been more efficient JT> to pay a guard to stand at the door. And to pay another guard to look after first guard, because he can also leave for launch. More people have access to the system, less secure system is. Today it's human to become weakest chain in security. -- ~/ZARAZA Машина оказалась способной к единственному действию, а именно умножению 2x2, да и то при этом ошибаясь. (Лем) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Security & Obscurity: First-time attacks and lawyer jokes, (continued)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Georgi Guninski (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Honza Vlach (Sep 03)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Dave Aitel (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Mr. Rufus Faloofus (Sep 02)
- Re[2]: Response to comments on Security and Obscurity 3APA3A (Sep 01)
- Re: Re[2]: Response to comments on Security and Obscurity James Tucker (Sep 01)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 01)
- Re: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[4]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[4]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[6]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[6]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[8]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Response to comments on Security and Obscurity gadgeteer (Sep 01)
- [OT] Re: Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 02)
- Re: [OT] Re: Re: New paper on Security and Obscurity Stormwalker (Sep 02)
- Re: [OT] Re: Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 03)