Full Disclosure mailing list archives
Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly)
From: "Curt Purdy" <purdy () tecman com>
Date: Sun, 28 Sep 2003 14:39:10 -0500
When we get this far off-topic, how about putting up a new subject line with a was: Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Paul Schmehl Sent: Sunday, September 28, 2003 12:20 PM To: Full Disclosure Subject: [inbox] Re: [Full-disclosure] CyberInsecurity: The cost of Monopoly --On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop <kdebisschop () alert infoplease com> wrote:
Crunchy shell, soft-chewy insides?
I don't think "we" as a "security community" have even begun to tackle this problem. We talk about it, but who is *really* doing it? For example, if you want to network machines you *have* to use SMB/NetBIOS for Windows, NFS for Unix, CIFS, or something similar. Who is really looking at how to be secure while still allowing internal machines to talk to each other? Certainly none of the above protocols qualify as secure. When a machine is problematic, for whatever reason, the usual reaction is "block it at the firewall". But that doesn't protect that machine from *other* internal machines. It only protects it from the outside. Oh, you might have a firewall that cordons off accounting from the rest of the enterprise, but *inside* accounting, you still have the "soft, chewy" problem. I haven't really seen anything that addresses this problem, and I'm not aware of anyone who is working on solving it. For the most part security thinking is still in the middle ages - build a castle with moats and outer defensive rings, and staggered entrances to make it hard for the enemy to get it. Once he gets in, what does current security thinking offer? Not much. What we need is a paradigm shift in thinking. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Pudent default security, (continued)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Shannon Johnston (Sep 29)
- Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 29)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Steve Wray (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Steve Wray (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly j (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 30)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) Curt Purdy (Sep 28)
- Re: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) George Capehart (Sep 29)
- Re: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) Michael Scheidell (Sep 29)
- Re: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) George Capehart (Sep 29)
- Re: Soft-Chewy insides (was: CyberInsecurity: The cost of Monopoly) Michael Scheidell (Sep 29)
- RE: [inbox] Re: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 28)
- RE: CyberInsecurity: The cost of Monopoly Jonathan A. Zdziarski (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Joe (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Jonathan A. Zdziarski (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Joe (Sep 27)