Gabriel Sechan said:
>
>>From: Mike Marion <[EMAIL PROTECTED]>
>>Did a quick search and didn't see any talk of this on the list:
>>
>>http://www.ranum.com/security/computer_security/editorials/dumb/
>>
>>Should be required reading for anyone that wants to be a programmer,
>> admin,
>>or
>>really work in any level of IT (especially management and execs
>> should be
>>forced to read it too).
>
> One problem with his enumerating badness point- if you do
> the opposite and lock down anything but a list of apps, it
> can be hard to get things done. Who here hasn't needed to
> write a quick program, or dl one from the web to get
> something done before? Multiply that by everyone in a
> company. If you had to get approval for every little app,
> you'd be in major trouble.
You're a programmer, right? This is a typical programmer's point of
view. Marcus Ranum is a security expert. His point of view is in
securing the network from intrusion. I can relate. I can't count the
number of times I've had requests to create holes in firewalls without
regard to the security consequences. I don't consider myself to be the
kind of expert that Marcus is, but I know enough to know that he is
right.
You can't predict all the possible threats to your network from the
outside, so you have to start from a deny everything, allow what is
required baseline. Otherwise you won't even see the attacks coming,
because they're so numerous. I've monitored the logs of a new firewall
I brought on-line, with a new connection, on a newly assigned IP. The
attacks are almost instantaneous with the connection.
> Another with his penetrate and patch point- there is no
> other way. Writing 100% secure software is at a minimum
> extremely difficult. It may not even be possible (how do
> you prove a negative? What if someone comes up with a
> whole new technique?).
I think what he's trying to point out is that standard good
programming practices, that should be taught in most courses, will
stop more exploits, than trying to patch to the exploit, already badly
written software.
> All in all it feels like a rant without any real ideas of
> how to improve things.
Marcus has plenty of ideas for improving thing, though they may not be
reflected in that page.
--
Neil Schneider pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D
Secrecy, being an instrument of conspiracy, ought never to be the
system of a regular government.
- Jeremy Bentham, jurist and philosopher (1748-1832)
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
