Quoting Timothy D Thatcher (daniel.thatc...@gmail.com):

> Hah, I'm glad it was nothing as nefarious as some weird malware or
> rootkit, or as irritating/potentially expensive as an actual hardware
> failure. Great work, and thanks, Rick.

Just one more thing about that:

  Moen's Third Law of Security

  "Malware is _not_ a security problem; malware is a secondary _after-effect_
  of a security problem."

  People who focus on particular exploits against particular
  vulnerabilities (or worse, software packages like "anti-virus software"
  that do so) have already lost the security battle, because they aren't
  focusing on what's important -- which is correcting their own strategic
  errors that make those recurring vulnerabilities possible (and
  inevitable).  Marcus Ranum described what is important perfectly, in his
  essay "What Sun Tsu Would Say"

  o  Run software that does not suck.
  o  Absolutely minimize Internet-facing services.

  If you have to keep chasing after holes in the same hopelessly bad
  software (PHP, WordPress, AWstats, wu-ftpd, lpd, etc.) — or, worse,
  paper over that underlying cause with anti-malware software — then
  you're addressing the _wrong problem_.

  The computer-security advice Ranum attributes to Sun Tzu bears repeating,

  If you are fighting a losing battle, it is likely one of three things:
  a) You are continuing a trend in a losing war -- and therefore should
     not be surprised.
  b) You have chosen to fight the wrong battle.
  c) You are stupid.

(I'll hasten to say that I'm not calling anyone stupid.  Ranum, a major
security expert from the BSD community, putting words in Sun Tzu's
mouth, is saying that certain people _might_ be stupid.  Personally, I'd
only go so far as to say 'misguided'.  ;->  )

The examples cited of wu-ftp, lpd, and AWstats now seem obscure, but
please do remember that I created the page a long time ago.
vox-tech mailing list

Reply via email to