Re: Extreme Security For Web Servers

[Dave Dittrich <dittrich () CAC WASHINGTON EDU>]

> To enter the vaults inside the windowless bunker-like compound
> requires punching in key codes and slipping your fingers into a series
> of scanners similar to those used at the U.S. Navy's nuclear
> facilities.
> ...
> Consider
> the recent attacks that crippled Microsoft Corp.'s Web sites by
> flooding them with false requests for information. Or the hackers who
> may have gained access to credit card information at Egghead.com, an
> online computer-shopping site.
> ...
> Wrought-iron fences that can withstand 50,000 pounds of force -- like
> that produced by a fast-moving car -- enclose the company's
> steel-lined building, set back 200 feet from the street and patrolled
> by armed guards.

Oh give me a break.

Since when can fingerprint scanners and wrought-iron fences stop an
ICMP packet flood, or prevent someone exploiting a remote
vulnerability and extracting a credit card database?  How many web
page defacements mirroed on attrition.org would have been stopped by a
200 foot setback and armed guards? (Hint - ZERO!)  Physical security
is important, but if you're going to spend a ton of cash, I think
you're better off spending it on security-saavy programmers and system
administrators.

Too bad reality doesn't make for good lead paragraphs.

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             Client Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".