Re: Re: Pudent default security

[Ed Carp <erc () smi kicks-ass net>]

On Mon, 29 Sep 2003, Jay Sulzberger wrote:

> > Yes, that is what I was trying to say, however lamely.  The preponderance
> > of discussions and papers on security today focus on the network and how to
> > control the flow of data/packets.  But in the final analysis, the problems
> > always come down to the individual machine, be it server or workstation.
> > Why aren't security ideas focusing on that problem primarily?  Oh, we all
> > know you shouldn't run unnecessary services, but that's about as far as the
> > wisdom goes.

And that's why the MS Blaster worm and variants have been so successful -
most admins think that because they have a properly configured firewall in
place, they're invulnerable - never realizing that all it takes is someone
with an infected laptop to plug in behind the firewall, and they're toast.
But it's somewhat understandable, because all the trade mags have been
harping on is a centralized firewall for years.

> > IMO the vendors should be providing these types of tools as an integral
> > part of the OS in addition to shipping in an off-by-default model.  It
> > should be trivial to "do security" in an OS.  (It still blows my mind that
> > every WinXP box comes with UPnP on by default.  RPC I can *almost*
> > understand, but UPnP???)  I'm saying we need a paradigm shift in *thinking*
> > about how an OS should be configured out of the box *and* a paradigm shift
> > in the ease of configuration on an enterprise level.

At least it comes with some sort of firewall - a step in the right
direction, I think.  Too bad no one in my company runs XP - too
unstable...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html