On Wed, Jun 22, 2005 at 02:21:34PM -0700, Bob Miller wrote: > Jacob Meuser wrote: > > > he should blame OS producers who want people to use their system > > and aren't willing to work to make their systems secure, idiot > > consultants who want to make money and not work hard, and lazy > > system administrators more, and hackers less. > > Let's quote the interview: > > | There's enough blame for everyone. > | > | Blame the users who don't secure their systems and applications. > | > | Blame the vendors who write and distribute insecure shovel-ware. > | > | Blame the sleazebags who make their living infecting innocent people > | with spyware, or sending spam. > | > | Blame Microsoft for producing an operating system that is bloated and > | has an ineffective permissions model and poor default configurations. > | > | Blame the IT managers who overrule their security practitioners' > | advice and put their systems at risk in the interest of > | convenience. Etc. > | > | Truly, the only people who deserve a complete helping of blame are > | the hackers[....] > > And in reply to one of the comments, he wrote: > > | [...T]he guys who are going around breaking into innocent peoples' > | networks are the problem. There's no moral basis I have ever heard > | of that makes it acceptable to blame the victim. And most users of > | home systems are victims in this war. Saying "because bob didn't > | have a personal firewall, a personal IDS, whatever - it's HIS FAULT > | that his system got hacked" is ethically the same thing as saying > | "it's HER FAULT she got raped because she was wearing a short > | skirt!"
no, this is not the same. the "leaving the front door open" analogy is more apt. or, well, if a woman is wearing a short skirt, perhaps there should also be a bottle of mace in her purse? look, in any aspect of life, you make choices about your security. hell, just look at what happens to people who fall in love and get their heart ripped out because the person they trusted was not the person they thought they were? not being aware of your actions, and the possible reprecussions of those actions is, well, your own fault. there's really no one else to blame, as much as the litigious US police-state rulers would like you to believe otherwise. > Jake again: > > > also, I find it odd, that he never mentions the work of the OpenBSD > > project. he never mentions authpf when he talks about how firewalls > > don't solve the inter-system trust problem. he doesn't talk about > > credential forwarding in OpenSSH, but gives an example of how SSH > > "leapfrogging" is insecure. he says that there is still a problem > > at the application level but doesn't mention propolice or systrace, > > or the fact that there _are_ projects out there that _do_ care about > > the correctness of the code they ship. he talks about playing the > > waiting game, not using technology until it's proven: that's why > > OpenBSD "lacks support" for stupid crap. > > I agree with most of what you said, but how does openssh credential > forwarding prevent the transitive trust problem described in the > interview? If a cracker owns your desktop, then with a little > keylogging, she can own any box you connect to through that desktop > through a combination of reading private keys and logging keystrokes. it does not completely solve the problem. yes, once credentials are had, you're screwed. however, with credential forwarding, your credentials are not all over the place. you don't have to type in passwords/phrases on every machine. > > IMO, the article is just more anti-MS, Linux is "good enough" because > > there is nothing better FUD. > > That's an interesting take, since Linux is never mentioned in the > interview. The only platform vendor mentioned is Microsoft, and > that's in the one liner I quoted above. yes, but most people (and just today I had this experience with Comcast), think that !MS == Linux. -- <[EMAIL PROTECTED]> _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
