Domain: securitypipeline.com
Stories and comments across the archive that link to securitypipeline.com.
Comments · 19
-
Re:Call me paranoid...
Ok, I'm not sure why this stupid belief keeps popping up like whack-a-mole, but there is no inherent security goodness to OSS vs. Windows.
The license model plays no role in insuring security. Don't believe me? How about Andrew Morton, keeper of the Linux Kernel. He made these comments at a U.S. Senate Roundtable on "Policy Implications of Open Source Software":
"... the software stack is a very deep thing and a number of security problems don't really happen down at the low level operating system. They can happen at the application level and the application integration level. I find for the open source world it is hard to come up with a hard and fast rule. If there's a security problem in the kernel it's fixed in a flash. But other applications, depending on how active the development team is it might take longer. But generally the responsibility for solving those lies with the distributor ... all I can say is I've seen studies which tend to indicate that the resolution rates are approximately the same between free and proprietary software products" .
http://www.tech-forum.org/upcoming/transcripts/Tra nscript_OpenSource_07-15-04.pdf
Or if not him, how about Gene Spafford from CERIAS? Or how about this recent article in security pipeline "Five Linux Security Myths You Can Live Without"? http://www.securitypipeline.com/160902138
The list goes on. No credible security expert says that Open Source is inherently more secure.
Think of it this way, would you BLAME the GPL if software you used had a buffer overflow? No, you figure it was bad programming.
In simple terms, if you have good programmers and good methodology you have good code. If you don't, you have bad code. The license model is irrelevant to the security holes found in Open Source or proprietary software. -
Re:The Four Dumbest Ideas in One Paragraph.
Google is your candy bar-offering friend.
I thought the "nude pictures of barely clothed females" was just him being funny. I'm very forgiving when it comes to naked women.
In the end, I don't think it's right to say that security education can be done away with. But I do believe that it's crazy to believe that good education can make up for bad initial design, and I think it's good to replace education with design wherever possible. After all, given the choice between drumming, "Don't run executables you get in your e-mail" into thick skulls, and simply yanking executables before they hit the inbox, the latter is both more reliable and easier on the end user. -
Re:A much bigger problem
Yep, that's because companies spend too much time and money on border security (company firewalls, email filters etc.), while creating SPOF's in trying to minimize maintenence and admin budgets while forgetting that defense in depth is far, far more effective.
Given that users today like to use a variety of tools that use far more ports than just 80 and 25, it's more sensible to have protection at multiple levels: vlan, proxy, mail server, software firewalls, and AV/IDS from top to bottom, updated in as close to real-time as you can get.
The architecture proposed in this article goes to the opposite extreme, eliminating the DMZ and striving to minimize the need for a corporate firewall. I think it goes a little too far, but he's definitely got some good ideas.
(Also, in their defense, the road warriors are normally the salesmen keeping the company afloat
:-) -
Just offer chocolate for records.
I've been getting "chocolate bar" spam ever since news came out that almost three quarters of office workers in an impromptu man-on-the-street survey were willing to give up their passwords when offered the bribe of a chocolate bar.. The spam claims to provide 10 pounds of Hershey's chocolate in exchange for who knows what.
-
There are other sites available.
Andrew Jaquith, senior analyst with The Yankee Group in Boston. "There is really no good, consistent source for security information on the Internet," he said.
There are already a handful of really good sites out there. How will ATT compete with the likes of: The Internet Storm Center, Security Focus, Packet Storm, and Security Peline which are current and relevant.
Also in the TFA, there were statements that the news serviecs will be offered to ATT customers. Will non-customers also have access to the site for free? If not, how does this compare to other managed services offerings from the likes of Symantec, ISS, and others? -
Re:You need to learn a bit more.I am glad we are discussing security. It affects us all, regardless of OS.
The original poster, who said:
Given the current state of Windows security and advances in spyware, probably any company has become a very easy target for such spy attack from competitors
is more concerned with bashing windows than raising security awareness in general. Anyone serious into security knows Linux has a huge number of vulnerabilities and must constantly be on the alert (just as Windows admins must) for new and evolving threats.
Even Linux maintainers themselves have security breaches again and again
You do not see articles here very often deriding Linux about its security failures
Even when Linux has shown to be attacked more often than Windows.
And all of this is exascerbated by the loss of the kernel management tool, bitkeeper
My point here is not to argue about which OS is better, but that all OSes have huge security issues to deal with, and people in the trenches, not in the ivory tower, understand that.
-
Re:daughter's surfing practices
She probably just visits normal childrens' sites. Apparently they're pretty bad.
-
Re:Authenticate This!
People WILL give up biometric data for $20. People give up their passwords for chocolate readily, and they have some appreciation for what they're good for. I have no doubt that a black hat could take a stack of DVDs out with a fingerprint scanner, trade DVDs for names and thumbprints, and come home with more biometric data than you can shake a copy of the Patriot Act at.
Couch it in a "biometrics data" study on some college campus and you'll have kids LINING UP to give you biometric data, and probably more than that. They sign up for credit cards, giving name, address, income, and a ton more for a t-shirt. I've seen it happen. They run out of shirts before they run out of applicants.
Combine it with Avi Rubin's "get all the identity-theft information you can for $50" class and you've got a world-class identity theft scheme. -
For an accurate over view on the TPM ...
... see the article at Secure Enterprise.
-
Re:Your computer won't trust you
Sadly, you are wrong, read this from Secure Enterprise to see why.
Basically, the TPM doesn't do bulk crypto and may be useful for key management, which would be useful for lots of applications.
But market pressure will pertty much depress draconian use of the TPM because the general public won't want it. If you think slashdotter are concerned about security, the general populace who is generally far less informed about the technology they will is even more paranoid.
Besides, the TPM has to be enabled to be used. It is not required.
-
I can see why...
They hold the third largest population of phishers scammers and hackers.
Ukrainian programmers won't be the first to land fat outsourcing contracts: they are as mob-ridden as Russia and better known for This kind of programmer than India is. -
How 'bout a Mozilla/Win option?
What about Windows users refusing (or in an increasing number of cases not allowed) to use IE?
I'd *love* to see a Mozilla/Firefox extension to integrate Gmail with the Win file system.
Preemptive response: (to save you the time)
-use Linux! -
FBI failing on spamOnly two cases so far, despite claims that the FBI "has identified over 100 significant spammers, and has targeted half of them for possible prosecution."
If the FBI arrested fifty spammers a year, we'd see a big drop in spam.
-
Re:Shrug
-
Re:Most likely irrelevant anecdote
Yes and if you relied on your linux machine to run a major database, we would accuse you of gross incompetence too.
I'd agree that gross incompentence is a fair accusation. (The same sort of gross incompetence that, for example, gets the DoI kicked offline three times.) I am suggesting, though, that gross incompetence (instead of a conspiracy to keep data secret) might be a sufficient explanation.
Or it might not. Maybe I'm not distrustful enough of government.
-
SIMS
...what security tools/applications/functionality are lacking (or non-existent) in the open source world?
How about an open source Security Information Management System (SIMS) Description, Article .
Something that lets us intergrate, collect, and correlate what the other great tools (Nessus, Snort, Nmap) find. -
Re:Open relays
I believe it would be both mroe effective and cheaper in the end to simply fix smtp to the point where this is no longer a possibility.
Some info on how that should be done and why..
Sender Policy Framework
Why SPF?
Authentication Is Key To Fighting Spam
Spammy issues
This solves a lot more then the 'zombie' issue, and has to be done anyway, why not do it now and fix multiple problems at the same time instead of putting up fees for all kinds of things.
-
Re:And the truth comes out on Slashdot...
-
Submitted this over a month ago
# 2003-12-18 18:52:34 Cybercrime hits capitol hill (articles,usa) (rejected)
This was reported in the December issue of Cryptogram. You can find a Washington Post article here. And the Information Week article here.