Re: standards status in the industry - opinion?

[Drsolly <drsollyp () drsolly com>]

On Sun, 8 Jan 2006, Blue Boar wrote:

> Nick FitzGerald wrote:
> > So, you're saying that just because a bunch of morons designed 
> > something utterly brokenly (from a security perspective) from the 
> > outset _AND_ that much of the world "enjoys" the flexibility this 
> > approach has allowed (or is just too damned ill-informed or otherwise 
> > stupid to know any better), THAT informed security professionals (and 
> > others) should not try to get such gross stupidity fixed?
>
> I'm not saying that you shouldn't try, just that you probably won't 
> succeed.  In my experience, you "can't" take away some feature people like.

The way you do that, is you sell them an additional feature, that consists 
of a disabling of the insecure feature.
 
> I believe you can simply string together whitelisted programs to do what 
> you like.  Things like tftp.exe and format.exe.

I really doubt if many users need either of those.
 
> I wasn't even neccessarily talking about vulnerabilities per se.  I 
> don't consider enabling viruses to be a vulnerability, really.  Just a 
> side-effect of a general purpose OS.

Maybe we have to think the unthinkable, and aim for an OS that isn't 
general-purpose.
 

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.