Re: Securing our computers?

["Memisyazici, Aras" <arasm () vt edu>]

<mcwidget said>:

> > the security on these boxes could be tightened/restricted to our
heart's content as this would not impact the user's everyday use.

:) As someone who shares geographical commonality and is honored to be a 'padowan' of Valdis, when I brought up 
something very similar to this argument a while back, I was smacked down so bad by him and his peers, it still hurts to 
remember that day! :p

In any event, before ya'll make even more 'human' comments like the one above, please consider that:

A) you are dealing with an extremely considerate and intelligent man who has and continues to put up with this very 
question among many other things on a daily basis, while pretending to be a regular IT guy :)

B) The suggestion you made mcwidget is pretty much (I'm very sad to agree) 'just not worth it'...

To expand, design a model keeping the following factors in mind:

* cost of implementing such technique onto existing hardware (i.e. Openwrt like systems) vs. distributing new hardware

* cost of the load that will be placed on the vendor's support team for this project (don't forget that vendors will be 
hiring Punjab-I-read-Scripts farms so calculate for the 'hold please!' and the customer getting so aggravated due to 
false-neg's/pos's or just plain non-functionality that they cont. To waste support resources over and over and ...)

* cost of maintaining a team of clued -IT prof.'s who will create/update a central db of sig's on extreme hardware by 
cooperating with other vendors who will deliberately shoot down attempts b/c such a product will drive down their sales 
(not everyone cares for the greater good, in today's greedy society)

* speed of adaptation of said technology, given all the lovely comments it will be receiving from early-Joe/Jill 
Sixpackers blogs/sites who had no idea how to use it other than they were told it's a 'Good Thing', and given a Flash 
video demonstrating how they can implement the device with it's color-coded cabling and free-of-charge 1st support call 
if all else failed!

* The cost on the vendor with all the returns it receives back

***###***###***###***###***###***### (there were more factors but after the 6th or 7th hit to the back of the head, you 
tend to lose way too many memory cells to remember all :p)

Now... Don't get me wrong, I totally agree with you, at first it sounds like a great idea to implement NAC/P like 
technology for the reg. Joe/Jill out there... But as you can all deduce it's just not pheaseable in the 'Real World'. 

As for your original comment and why I singled it out...

So... Your scenario assumed successful  implementation of the tech. by the user... And totally disregarded 
false-negatives and false-positives... So here's Joe Sixpack staring at this warning sign saying, 'according to our 
immature calculations 'something isn't  right', so we're gonna let you figure that out by allowing you to only go to 
our approved 3rd party/marketing associate sites (which others can also join the network for a pheaseable fee) or by 
calling us at 800-OUTSRC-IT and wasting 2-3 hours on the phone to figure out that our central db doesn't include 
signatures for your AV/firewall/anti-malware combo yet...

Sincerely,
Aras 'Russ' Memisyazici
Systems Administrator

Office of the Vice President for Research
Virginia Tech

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/