Re[4]: www.hexblog.com down?

[Pierre Vandevenne <pierre () datarescue com>]

Good Day,

SD> This puzzles me a bit.

Understandable. I am willing to explain.

SD> If you are storing customer data on machines your blissfully unware
SD> account uses to surf the web, what has really changed?

Everyone has internet access nowadays. If we wanted, we could file
absolutely everything electonically (this is the e-governement project
in Belgium). In many cases (Intrastat, some VAT stuff) we are MANDATED
BY LAW to use electronic delivery. The Internet or, for example a
private dying system called ISABEL.

Ideally, I agree with you that we should have a military style
network, with a totally private/segregated network for accounting
purposes/customer database.

In practice, is it possible? Realistic? How are Microsoft and
governments evolving? Will it become more of a problem in the future.
We are, in some ways, close to that. We have two connections here,
totally segregated. There is one for our "corporate" network, and one
for the public aspects. Different routers, different policies. How
many small companies go as far as that?

SD> They were vulnerable for years before the public disclosure.

Agreed. But

- we did our best, given the amount of knowledge we had, to tackle
security issues on our side of the network. For example, Outlook has
been explicitly forbidden since the 90s here. We did buy licenses for
another e-mail client, based on our best judgement. So was office. We
are using Lotus Worpro for example.

- there are many more vulnerabilities in Windows. Given our level of
expertise, we probably could up with some if our area of interest were
vulnerability research. But we don't favour full disclosure.

- until the day that vulnerability was fully explained, exposed and
detailed for everyone to use (I, we, Ilfak) did not care much.
Everyone can be exploited by a zero day vulnerability. When the
knowledge became widespread, the whole story changed. We were at the
mercy of not only a dedicated hacker, but also of any idiot. That
makes a very big difference. Given the nature of our user base, I have
no doubt anyone there could hack us (or, maybe more simply, listen to
our traffic...). We could probably track it. Deterrence (and
correction from our user base at work). Vandals are different.

SD> They were potentially exploited during the weeks before the public
SD> disclosure.

Very true. That doesn't mean we shouldn't act when we are aware of it.
I learned of the vulnerability as a normal user. I asked "can we do
something about it?" because I didn't like the idea of being a sitting
duck. It seems we could.

SD> They will still be vulnerable to other known vulnerabilities, but not
SD> necessarily public, after this vulnerability is patched.

Very true again. Do you propose we do something about unknown zero
day exploits? Switch to Linux or Mac OS X, for which I am sure - as of
today - zero day non public exploits exist?

SD> Ignorance may be bliss, but do you depend on it to keep your customer
SD> data secure?

Do you rely on yours? Are you suggesting that all businesses should,
and will, in the future, implement the clever military approach
(totally physically and functionally segregated networks)? I don't
know.

So basically, that question doesn't make sense. By definition, my
ignorance is very close to infinite. So is yours. As far as I know,
each and every human being is in the same position in that respect,
from a generic point of view as well as from an IT point of view.

We should act upon what we know. We can't act upon what we don't know.
And we can make mistakes.

-- 
Best regards,
 Pierre                            mailto:pierre () datarescue com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.