Full Disclosure mailing list archives
Re: Re: Pudent default security
From: Ed Carp <erc () smi kicks-ass net>
Date: Sun, 28 Sep 2003 23:28:20 -0500 (CDT)
On Mon, 29 Sep 2003, Jay Sulzberger wrote:
Yes, that is what I was trying to say, however lamely. The preponderance of discussions and papers on security today focus on the network and how to control the flow of data/packets. But in the final analysis, the problems always come down to the individual machine, be it server or workstation. Why aren't security ideas focusing on that problem primarily? Oh, we all know you shouldn't run unnecessary services, but that's about as far as the wisdom goes.
And that's why the MS Blaster worm and variants have been so successful - most admins think that because they have a properly configured firewall in place, they're invulnerable - never realizing that all it takes is someone with an infected laptop to plug in behind the firewall, and they're toast. But it's somewhat understandable, because all the trade mags have been harping on is a centralized firewall for years.
IMO the vendors should be providing these types of tools as an integral part of the OS in addition to shipping in an off-by-default model. It should be trivial to "do security" in an OS. (It still blows my mind that every WinXP box comes with UPnP on by default. RPC I can *almost* understand, but UPnP???) I'm saying we need a paradigm shift in *thinking* about how an OS should be configured out of the box *and* a paradigm shift in the ease of configuration on an enterprise level.
At least it comes with some sort of firewall - a step in the right direction, I think. Too bad no one in my company runs XP - too unstable... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: CyberInsecurity: The cost of Monopoly, (continued)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Florian Weimer (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 28)
- Re: CyberInsecurity: The cost of Monopoly Paul Schmehl (Sep 28)
- Pudent default security - Was: CyberInsecurity: The cost of Monopoly security () brvenik com (Sep 28)
- Re: Pudent default security Paul Schmehl (Sep 28)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Ed Carp (Sep 29)
- Re: Re: Pudent default security Jay Sulzberger (Sep 28)
- Re: Re: Pudent default security Shannon Johnston (Sep 29)
- Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 29)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Steve Wray (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Michal Zalewski (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Steve Wray (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly j (Sep 30)
- RE: Re: Pudent default security - Was: CyberInsecurity: The cost of Monopoly Frank Knobbe (Sep 30)