Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] comparing information security to other industries

from [Michael Zimmermann] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] comparing information security to other industries
Date: Mon, 25 Dec 2006 01:07:30 +0100 
Hi Brian,

you answer from the viewpoint of somebody engaged in 
modern 'computer security'. But with the phrase 
"at large" I was meaning a more global view:

Two thirds of the PCs are estimated to contain
malware. We are so used to receive all kinds of
virusses, worms and trojans, that we NEED antivirus 
scanners and firewalls. Those defences are like
medicine, which you MUSt take - and the more medicine
you have to take, the more ill you are.

In the early 1980ies it was _unthinkable_ that a 
program would run on your systems, which you 
wouldn't know it existed and had installed for 
yourself. Nowadays it's the rare exception, when
a user knows what is running on his PC (and a
professional system admin, who knows every program
executing on his machine is also a rare thing, 
I think).

Complexity has grown, but our basic security
structures in hardware and software have have not.
Unix/Linux security is based on the classic Unix 
design (was it 1974 when it was published?), DOS
security is an unborn child while Windows security 
is not better than than of Linux. 

Why?

The Intel hardware for PCs was chosen on the basis 
of marketing thinking and not because it was 
technically better than it's alternative - nothing 
to say about security concerns. An executable stack
with decreasing addresses, unprotected memory and 
totally missing permission-scheme in the IBM PC and, 
and, and...

Marketing/money decision ruled the IT-Industry
since the first IBM PC was sold. Yet there have
existed better system- and hardware-designs
even before the IBM PC. Just to name two:
Motorola processors or the Multics OS.

Brian, IMO your argumentation is not a solution
to improve over-all security but is symptomatic 
for the lack of it.

A lot of patch-work and no broadly accepted
security concept. Only during the last years
that situation is changing slowly - but not
yet in the Windows realm. But a functioning 
PC security is needed IMO, at least I don't
want to live with a net, where hundred-
thousands of zombies can bring my server
down any moment or flood my MTA daily with
thousands of crap-email. These daily fights
may create a sort of dynamice equilibrium,
but are not what I call "security" or "stability".


Greetings
Michael

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] [YST] Full Disclosure - Paul Robinette / Renetto, Dexa Rouskies
Next by Date:  [Full-disclosure] Happy Holidays, evilrabbi
Previous by Thread:  Re: [Full-disclosure] comparing information security to other industries, Brian Eaton
Next by Thread:  [Full-disclosure] ZDI-06-051: Mozilla Firefox SVG Processing Remote Code Execution Vulnerability, zdi-disclosures
Indexes:  [Date] [Thread] [Top] [All Lists]