On 4/12/06, Michael Halcrow <[EMAIL PROTECTED]> wrote: > On Wed, Apr 12, 2006 at 08:22:16AM -0600, Chris Carey wrote: > > Though, you could spend your whole life fighting this losing battle. > > My opinion is to set your security in place, and forget about it. > > Some of the tactics suggested in this thread *are* setting security in > place. And you should *never* just forget about it, because more > likely than not, your adversaries are cleverer than you are. Good > attacks are rarely conventional; if history has taught us anything, > attackers will always ``cheat.'' Security is a hard problem -- in > fact, it reduces to the same problem as the correctness problem, which > any CS student knows is intractable. > > When it comes to system security, what we have to rely on is basic > economics. If someone wants to ``get to'' your system, and if they > have the willpower and enough resources to do it, you're screwed. > > So what you need to do is make it *more costly* for an attacker to get > to your resources than whatever benefits the attacker would obtain by > compromising your resources. For most run-of-the-mill systems on the > Internet, the ``low-hanging'' fruit principle applies, just as it > applies to the security tactics of home burglar alarm signs, walking > down the sidewalk with confidence, and so forth. Criminals also > understand the concept of opportunity cost. > > The moral of the story is to employ as many (layered) security > mechanisms as you can while minimizing the inconvenience to the > legitimate users. There are no one-shot silver bullets (although SE > Linux comes close), and so you should be using a wide variety of > tactics -- the more unique the approach, the less likely they will be > compromised via a ``class break.'' > > Mike > .___________________________________________________________________. > Michael A. Halcrow > Security Software Engineer, IBM Linux Technology Center > GnuPG Fingerprint: 419C 5B1E 948A FA73 A54C 20F5 DB40 8531 6DCA 8769 > > Natural selection is a theory, just like gravity. If you don't > believe it, go jump off a bridge! > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iQEVAwUBRD0jD9tAhTFtyodpAQOTkAgAhSmY4WOo8LFcNEinuXnsCV2x9CU9159f > JzK2LcO/ilzOJMeBveeihpc2WuWwj8xUSMGjt11fpnegC9RsaBacH2qwU1gx/6Oh > bvVZnPJiPkZSfmkGak6GC9nfIQQRVYvuagEIcrWwNiKneKDNmjaMQuaknL4ILMkP > M2mc0Is9CX5x074nPUpNtjJZxItPBxv0IU8AODgjzogYrV5cpMtEyS1zS8Nw+vOY > 0dH0SnJJyWc6GzSuZn+5c7FQFa0lMM+L2bkC1hVESU8flk6QqM9yF70lGfQDwxBY > ztbsYpPpSWB7n6zUVxo5IaXfhAgHr0tIty5vjFM2XsZenZqIIzdYuA== > =iDY4 > -----END PGP SIGNATURE----- > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > >
I agree wholeheartedly. What I meant is that its futile to block individual IPs. For every one you block, two more will appear. For an Internet connected device, one should put a policy for security in place that covers all IPs. Chris Carey /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
