TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
On Thu, 19 Jul 2001, Apers, Kim (ISS Brussels) wrote:
> To get known with the product and use it at 200% there are courses for. If
> you look at all technical manuals (in pdf format) free downloadable from the
> web you will learn a lot and they are well written.
Of course. But I am not talking about learning how to use the
product. I am talking about the architecture/design of the product.
> If you know what you're doing it is easy to secure a wintel box (start with
> installing/using SystemScanner Agent on it). I use a 2k professional in the
> classroom and no class managed to break in : ) (I challenged them because
> the exams are on it).
The fact that they're in a security class shows that they do not
know that much about security, so obviously, you already started with a
more ignorant set of users. For some one who can break into your box, why
would he or she want to waste time and take your class?
Now, your second fallacy is that because you have secured your box
(per your software's recommendations, obviously, right?) it is
inpenetrable? I take it you do not believe in day 0 vulnerabilities then?
Also, the whole thread started because system scanner does not run
under unix. For those who think NT is just as fine, I offer you these
observations:
1) There were 100+ security hotfixes released for win2k last year. That
means, on average, I need to patch every 3 days. Every 3 days, I need to
reboot my win2k server. That is the way to run an enterprise level
server? And that's what you guys design your "security" software to run
on? You want me to run a security software on a software that was released
with 65,000+ "issues" and on average, requires a reboot every 3 days?
2) There are STILL UNFIXED vulnerabilities that have been in existence
since windows 3.1. If you do not believe me, consult anyone who is
seriously doing cryptography and ask them about these papers (use
google) called "breakms.txt", "breakms2.txt" and "breakms3.txt". The paper
itself talks about IE 3, but the same damn vulnerability exists in IE5 and
IE6 because it exists at a lower level! Bill Atkinson, the guy who
designed Authenticode basically went on the Risks forum and declared that
PRIVATE KEY VULNERABILITIES ARE LESS IMPORTANT THAN OTHER SYSTEM PROBLEMS
(my upper case) meaning that a broken screen saver has higher priority than
a stolen private key. You want me to run a security software on such a
system? And in case you're wondering, yes, there are people who are
actively using this vulnerability. I wonder if System Scanner even checks
for it (and if it did, so what? What kind of recommendation can it
make? Don't run Windows 9x or NT? Or write your own CSP and replace that
broken POS from microsoft?)
> For me it is difficult to secure a Unix box, if i look at the number of
> vulnerabilities and settings wintel<=>unix/linux it all depends with which
> platform you are used to work all day long.
It is easy to secure a unix box. It is harder to secure an NT box,
though I dare say I can secure it for all current vulnerabilities. The
problem with NT is that you get (on average, last year) a new vulnerability
every 3 days. Like this latest fiasco, 250k systems compromised, according
to the radio this morning. I knew about it at least a month ago. But
until someone released a tool to exploit it, it wasn't on anyone's radar
screen.
> Why would you use pcanywhere or terminal server ? You can have up to 3 fully
To the guy who defended the use of pcanywhere, I agree with you, if
you know how to configure it, yes, it is usable. The problem is that most
people just do a default install and do not configure it, and two, if this
were under Unix, I would not have to buy anything to have it run securely
on my server, but display it on my workstation.
> consoles and on top of that remote control through a stripped down
> apachewebserver.
True, this is a good point (though, for our case, we're throwing it
away and trying to develop something ourselves because we need some extra
functionality).
-Tai
--
http://philip.greenspun.com/bg/
http://www.vcnet.com/bms/features/serendipities.html
http://www2.hunter.com/~skh/humor/admin-horror.html
http://www.despair.com/demotivators/cluelessness.html
