Full Disclosure mailing list archives
Re: CyberInsecurity: The cost of Monopoly
From: Frank Knobbe <frank () knobbe us>
Date: Sun, 28 Sep 2003 15:51:16 -0500
On Sun, 2003-09-28 at 15:38, Michal Zalewski wrote:
So it's probably pointless to call for a revolution in this regard. My interpretation of what Paul said was that he referred to the problem of "blob networks" that cannot be held accountable and are often very difficult to control.
Nah, I'm not calling for a revolution.
That does not seem to have much to do with what you mentioned, control of the data. You still control the machine remaining blind to the information it handles. Besides, once again, it's all available. Some systems (most recent Linux, or, to a degree, even Windows) have extensive access control mechanisms that go beyond archaic root-and-user separation.
Sure, they do. But they appear to be underutilized. My point was that a lot of admins appear to be focusing on the network/service layer. There are controls available today as you say such as ACL's, but in my opinion they are underutilized. I believe that the finer the control gets (i.e. having to touch every file as supposed to just the server), the more work effort it creates, and that's the reason it just doesn't get implemented. The finer the control, the better the security. But also, the finer the control, the greater the work effort/load. The greater the workload, the less gets implemented. The less gets implemented, the less secure the system is. Increasing security efforts should not mean just piling up more controls on the same level. It should mean zooming in and putting more controls on a smaller level. I think we have been playing too much with "blanket controls" and need to rediscover the security micro-cosmos. We've gotten used to protect a lot of data with one control. We need to get back to putting controls on each datum. Sorry, I just don't know how else to express my sentiment. Instead of arguing this point back'n'forth, let's just return to the topic at hand: Monoculture != Security. I fully agree with it. :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: CyberInsecurity: The cost of Monopoly, (continued)
- RE: CyberInsecurity: The cost of Monopoly *Hobbit* (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- RE: CyberInsecurity: The cost of Monopoly Curt Purdy (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Karl DeBisschop (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- RE: CyberInsecurity: The cost of Monopoly Rick Kingslan (Sep 27)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Pudent default security - Was: CyberInsecurity: The cost of Monopoly security () brvenik com (Sep 28)
- Re: Pudent default security Paul Schmehl (Sep 28)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- RE: CyberInsecurity: The cost of Monopoly *Hobbit* (Sep 27)
- Re: Re: Pudent default security Shannon Johnston (Sep 29)
- Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 29)