When we get this far off-topic, how about putting up a new subject line with a was:
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- former White House cybersecurity zar Richard Clarke -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Paul Schmehl Sent: Sunday, September 28, 2003 12:20 PM To: Full Disclosure Subject: [inbox] Re: [Full-Disclosure] CyberInsecurity: The cost of Monopoly --On Sunday, September 28, 2003 8:14 AM -0400 Karl DeBisschop <[EMAIL PROTECTED]> wrote: > > Crunchy shell, soft-chewy insides? > I don't think "we" as a "security community" have even begun to tackle this problem. We talk about it, but who is *really* doing it? For example, if you want to network machines you *have* to use SMB/NetBIOS for Windows, NFS for Unix, CIFS, or something similar. Who is really looking at how to be secure while still allowing internal machines to talk to each other? Certainly none of the above protocols qualify as secure. When a machine is problematic, for whatever reason, the usual reaction is "block it at the firewall". But that doesn't protect that machine from *other* internal machines. It only protects it from the outside. Oh, you might have a firewall that cordons off accounting from the rest of the enterprise, but *inside* accounting, you still have the "soft, chewy" problem. I haven't really seen anything that addresses this problem, and I'm not aware of anyone who is working on solving it. For the most part security thinking is still in the middle ages - build a castle with moats and outer defensive rings, and staggered entrances to make it hard for the enemy to get it. Once he gets in, what does current security thinking offer? Not much. What we need is a paradigm shift in thinking. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
