On Thu, Sep 22, 2005 at 07:09:12PM -0600, Theo de Raadt wrote: > > > People keep yammering this bullshit about "Security is a process". > > > Bullshit! Lies! It's about paying attention to the frigging details > > > when they are right in front of your face. And it is very clear other > > > vendors do not pay attention to the details, considering the work I > > > did here was talked about all over BUGTRAQ back in that month. No > > > wonder these vendors and their blogboys have to have this "Security is > > > a process" mantra to protect themselves from looking bad. > > > > > > > > > "Security is a process" is intended to mean 2 things. One is that the > > idea that you can "set and forget" anything and think it's somehow > > "secure" is a joke. To "secure" a network includes at a minimum, keeping > > up with vendor patches for example. Processes like patch management help > > keep systems secure. It does not say "Security is ONLY a process". > > > > Secondly, it is meant to refute the moronic idea that some admins seem > > to have is that buying any product makes you "secure". Prevelant is the > > idea for example that if you have a "firewall" then you are now "secure". > > Or, "I have Norton AntiVirus so now my PC is secured". > > No, no no. > > You are playing the same semantic games that avoid responsibility at > the ENGINEERING and PRODUCT DEVELOPMENT STAGES. > > It's so very very Microsoft. > > Just like the air-conditioning technicians I keep firing because they > can't read schematics and charts. > > Which is why I now know MORE about air-conditioners than most of the > technicians who come here. > > The phrase, and everything you said, is all excuses for the vendors. > > It IS POSSIBLE to set something up and have it be secure and NOT TOUCH > IT, because many people have OpenBSD machines running older releases > running without any modification for YEARS now, RISK FREE, without > having to update ANY THING.
No, you can put an openbsd box up and leave it for years with root login enabled and password for a password. It takes more than correct code. It's correct code plus correct usage. I think the GOBBLES sshd exploit is proof enough that "set and forget" is not "risk free". Security is everything you've ever said, plus a process.