firewalls and "known secure software" are separate layers, any robust security system employs multiple layers, in the hope that when one layer fails another will stand. as no software can ever be "bug free", it also can never be fully secure and invulnerable to previously unforeseen attack mechanisms. the idea is for the overall system to fail gracefully and not completely when a new hole is found in the armor, hopefully a layer above or below the newly discovered "hole" will still provide protection, or at the very least detection so that the wound can be dealt with before you bleed to death or at least know who stabbed you and how so you can hopefully prevent it in the future. the need to keep up with the latest "patches" is evidence of the usefulness of overlapping layers of security.
an encrypted file system may be more of a burden than a help, the data is always available at some point as plain text, and encryption systems, like any other security measure, are often found to have major faults that make them less effective. also, if a file system is encrypted, the keys have to exist somewhere on that system, if someone manages to steal the keys they can steal everything if encryption is the only security device you've used. often it is easy to reconstruct the keys from the encrypted files themselves, or to otherwise capture them via hardware or software, and software can be planted without physical access in many cases. encryption may be useful as an additional layer of security, but is not adequate by itself, and is not a substitute for physical security, as the vulnerability of wireless lans has demonstrated. ssl helps protect data flying across the net, but it's not the same as having the data in a vault watched by an army of armed guards, it is still vulnerable, and more importantly you may not even know whether or not it has been compromised, either by monitoring or alteration. it's much better than nothing, but hardly attack proof. often security measures provide a false sense of security, which is very dangerous, users should understand that even multiple layers don't absolutely guarantee data integrity and security, but they do help make it more expensive for intruders and provide some increased security, to a point. as has been demonstrated many times, the use of poorly chosen passwords can weaken any security system, and this almost always happens with large corporate systems. there are always users who find passwords a pain and fail to choose them well or to change them often, or even to safe guard them. people often write down their passwords, creating a situation where loss of physical security of a piece of paper (which may be in their wallet they carry home, or taped to a writing table where cleaning personnel can find it and use it). humans are usually if not always the weakest link of any security system, we are fallible, and some of us are careless or sloppy due to arrogance, or subject to black mail. the info on the kremlin is interesting, it's an example of multiple layers, fortunately the hackers weren't able to overcome the language barrier, which was only an accidental protection mechanism. crime is often thwarted by simple or accidental circumstances, but it's hardly a reliable safeguard. "Eric D." wrote: > > on 15/7/02 21:25, Eagle at [EMAIL PROTECTED] wrote: > > > consoles. But those breakins were on a Linux server machine (my OS X > > Cube is also a web/ssh server) that was not up-to-date on the latest > > fixes at the time. I imagine that, for most Mac OS X users, keeping up > > with System Updates will be good enough. > > I don't imagine there are too many exploits that can be perpetrated against > a Mac OS X machine -- not only would the hacker have to stumble on just the > right version of Apache, but they would also have to think quickly enough to > compile their exploits for the PPC ;) ;) ;) > > PS Remember the press recently that the Kremlin's website was running a > vulnerable version of Apache? Apparently the website was immune to the > attack that was being reported on because of the Cyrillic alphabet (16 bit > characters (what's that, a word?) ;). > > > Nor do I, but with a Unix server, passwords aren't enough. You need > > secure communications channels (SSH), and you need to keep up with the > > latest patchlevels on your software. Recall the recent SSH and Apache > > exploits -- machines that have not been upgraded today are still > > vulnerable to exploitation. > > Someday I'll have to learn how these exploits function. > > > You need more than a secure OS -- you need an encrypted filesystem to > > protect against physical access issues. > > > > For those worried about remote exploitation, the rules are few and > > simple: > > - run only the services you need, > > - keep up on the latest patchlevels for those servers, and > > - limit access to those services by IP address (tcp wrappers) whenever > > possible. > > If you run a server with known secure software, there's little reason to run > a firewall. But, there's also the problem that a firewall still won't keep -------------- -- Philip Stortz, mad scientist at large. --Every 13 seconds an American gun owner uses a firearm in defense against a criminal. gun ownership deters crime, it doesn't increase it. gun control increases crime and cost lives. <http://www.pulpless.com/gunclock/framedex.html> -- G-List is sponsored by <http://lowendmac.com/> and... Small Dog Electronics http://www.smalldog.com | Refurbished Drives | -- We have Apple Refurbished Monitors in stock! | & CDRWs on Sale! | Support Low End Mac <http://lowendmac.com/lists/support.html> G-List list info: <http://lowendmac.com/lists/g-list.shtml> Send list messages to: <mailto:[EMAIL PROTECTED]> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive: <http://www.mail-archive.com/g-list%40mail.maclaunch.com/> Using a Macintosh? Get free email and more at Applelinks! <http://www.applelinks.com>
