Jacob Meuser wrote: > he should blame OS producers who want people to use their system > and aren't willing to work to make their systems secure, idiot > consultants who want to make money and not work hard, and lazy > system administrators more, and hackers less.
Let's quote the interview: | There's enough blame for everyone. | | Blame the users who don't secure their systems and applications. | | Blame the vendors who write and distribute insecure shovel-ware. | | Blame the sleazebags who make their living infecting innocent people | with spyware, or sending spam. | | Blame Microsoft for producing an operating system that is bloated and | has an ineffective permissions model and poor default configurations. | | Blame the IT managers who overrule their security practitioners' | advice and put their systems at risk in the interest of | convenience. Etc. | | Truly, the only people who deserve a complete helping of blame are | the hackers[....] And in reply to one of the comments, he wrote: | [...T]he guys who are going around breaking into innocent peoples' | networks are the problem. There's no moral basis I have ever heard | of that makes it acceptable to blame the victim. And most users of | home systems are victims in this war. Saying "because bob didn't | have a personal firewall, a personal IDS, whatever - it's HIS FAULT | that his system got hacked" is ethically the same thing as saying | "it's HER FAULT she got raped because she was wearing a short | skirt!" Jake again: > also, I find it odd, that he never mentions the work of the OpenBSD > project. he never mentions authpf when he talks about how firewalls > don't solve the inter-system trust problem. he doesn't talk about > credential forwarding in OpenSSH, but gives an example of how SSH > "leapfrogging" is insecure. he says that there is still a problem > at the application level but doesn't mention propolice or systrace, > or the fact that there _are_ projects out there that _do_ care about > the correctness of the code they ship. he talks about playing the > waiting game, not using technology until it's proven: that's why > OpenBSD "lacks support" for stupid crap. I agree with most of what you said, but how does openssh credential forwarding prevent the transitive trust problem described in the interview? If a cracker owns your desktop, then with a little keylogging, she can own any box you connect to through that desktop through a combination of reading private keys and logging keystrokes. > IMO, the article is just more anti-MS, Linux is "good enough" because > there is nothing better FUD. That's an interesting take, since Linux is never mentioned in the interview. The only platform vendor mentioned is Microsoft, and that's in the one liner I quoted above. -- Bob Miller K<bob> kbobsoft software consulting http://kbobsoft.com [EMAIL PROTECTED] _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
