Full Disclosure mailing list archives
Re: comparing information security to other industries
From: Michael Zimmermann <zim () vegaa de>
Date: Mon, 25 Dec 2006 01:07:30 +0100
Hi Brian, you answer from the viewpoint of somebody engaged in modern 'computer security'. But with the phrase "at large" I was meaning a more global view: Two thirds of the PCs are estimated to contain malware. We are so used to receive all kinds of virusses, worms and trojans, that we NEED antivirus scanners and firewalls. Those defences are like medicine, which you MUSt take - and the more medicine you have to take, the more ill you are. In the early 1980ies it was _unthinkable_ that a program would run on your systems, which you wouldn't know it existed and had installed for yourself. Nowadays it's the rare exception, when a user knows what is running on his PC (and a professional system admin, who knows every program executing on his machine is also a rare thing, I think). Complexity has grown, but our basic security structures in hardware and software have have not. Unix/Linux security is based on the classic Unix design (was it 1974 when it was published?), DOS security is an unborn child while Windows security is not better than than of Linux. Why? The Intel hardware for PCs was chosen on the basis of marketing thinking and not because it was technically better than it's alternative - nothing to say about security concerns. An executable stack with decreasing addresses, unprotected memory and totally missing permission-scheme in the IBM PC and, and, and... Marketing/money decision ruled the IT-Industry since the first IBM PC was sold. Yet there have existed better system- and hardware-designs even before the IBM PC. Just to name two: Motorola processors or the Multics OS. Brian, IMO your argumentation is not a solution to improve over-all security but is symptomatic for the lack of it. A lot of patch-work and no broadly accepted security concept. Only during the last years that situation is changing slowly - but not yet in the Windows realm. But a functioning PC security is needed IMO, at least I don't want to live with a net, where hundred- thousands of zombies can bring my server down any moment or flood my MTA daily with thousands of crap-email. These daily fights may create a sort of dynamice equilibrium, but are not what I call "security" or "stability". Greetings Michael _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [WEB SECURITY] Re: comparing information security to other industries, (continued)
- Re: [WEB SECURITY] Re: comparing information security to other industries Krainium (Dec 26)
- Re: [WEB SECURITY] Re: comparing information security to other industries Michael Zimmermann (Dec 27)
- Re: [WEB SECURITY] Re: comparing information security to other industries coderman (Dec 27)
- Re: [WEB SECURITY] comparing information security to other industries Will Jefferies (Dec 19)
- Re: comparing information security to other industries Nancy Kramer (Dec 19)
- Re: [WEB SECURITY] Re: comparing information security to other industries Dinis Cruz (Dec 22)
- Re: [WEB SECURITY] comparing information security to other industries Jason Muskat, GCFA, GCUX, de VE3TSJ (Dec 21)
- Re: [WEB SECURITY] comparing information security to other industries Nick FitzGerald (Dec 21)
- Re: comparing information security to other industries Michael Zimmermann (Dec 24)
- Re: comparing information security to other industries Brian Eaton (Dec 24)
- Re: comparing information security to other industries Michael Zimmermann (Dec 24)
- Re: comparing information security to other industries Brian Eaton (Dec 24)