Quoting "Clint M. Sand" <[EMAIL PROTECTED]>: > On Thu, Sep 22, 2005 at 07:09:12PM -0600, Theo de Raadt wrote: > > > > People keep yammering this bullshit about "Security is a process". > > > > Bullshit! Lies! It's about paying attention to the frigging details > > > > when they are right in front of your face. And it is very clear other > > > > vendors do not pay attention to the details, considering the work I > > > > did here was talked about all over BUGTRAQ back in that month. No > > > > wonder these vendors and their blogboys have to have this "Security is > > > > a process" mantra to protect themselves from looking bad. > > > > > > > > > > > > > "Security is a process" is intended to mean 2 things. One is that the > > > idea that you can "set and forget" anything and think it's somehow > > > "secure" is a joke. To "secure" a network includes at a minimum, keeping > > > up with vendor patches for example. Processes like patch management help > > > keep systems secure. It does not say "Security is ONLY a process". > > > > > > Secondly, it is meant to refute the moronic idea that some admins seem > > > to have is that buying any product makes you "secure". Prevelant is the > > > idea for example that if you have a "firewall" then you are now "secure". > > > Or, "I have Norton AntiVirus so now my PC is secured". > > > > No, no no. > > > > You are playing the same semantic games that avoid responsibility at > > the ENGINEERING and PRODUCT DEVELOPMENT STAGES. > > > > It's so very very Microsoft. > > > > Just like the air-conditioning technicians I keep firing because they > > can't read schematics and charts. > > > > Which is why I now know MORE about air-conditioners than most of the > > technicians who come here. > > > > The phrase, and everything you said, is all excuses for the vendors. > > > > It IS POSSIBLE to set something up and have it be secure and NOT TOUCH > > IT, because many people have OpenBSD machines running older releases > > running without any modification for YEARS now, RISK FREE, without > > having to update ANY THING. > > No, you can put an openbsd box up and leave it for years with root login > enabled and password for a password. It takes more than correct code. > It's correct code plus correct usage. I think the GOBBLES sshd exploit > is proof enough that "set and forget" is not "risk free". > > Security is everything you've ever said, plus a process. > >
If it is secure, it doesn't need a process. So why would security be a process again? Because of the vendors making "mistakes" and fix it later? Jimmy Scott ---------------------------------------------------------------- This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to [EMAIL PROTECTED] ----------------------------------------------------------------
