[9338] in bugtraq
Re: No Security is Bad Security:
daemon@ATHENA.MIT.EDU (Donald Moore (MindRape))
Thu Feb 4 13:16:25 1999
Date: Thu, 4 Feb 1999 02:08:42 -0700
Reply-To: "Donald Moore (MindRape)" <mindrape@HOME.COM>
From: "Donald Moore (MindRape)" <mindrape@HOME.COM>
X-To: "John \"E.R.\" Jasen" <jjasen1@UMBC.EDU>
To: BUGTRAQ@NETSPACE.ORG
>Lessons Learned:
>---------------
>
>When you think 'security,' think 'defense in depth.' The French
>demonstrated very neatly that putting all their resources into the
>Maginot Line was not very bright, and we should make every effort *not* to
>recreate the Maginot Line.
Security shouldn't just be casted as only a defensive mechanism. Security
in that form becomes a bothersome tyrant of the OS, hindering the users of
that machine. This kind of view will only encourage paranoid, knee-jerk
solutions. Instead, security is more appropiately viewed as a methadology
of determinging the integrity of a resource. Beyond the defensive, and
creating simple reusable solutions applicable to any number of situations.
What if there's no need to get defensive?
>Security is *not* cost-intensive, if you build it in the first time, or
>add it in as you upgrade your environment, especially as you value it
>against the total loss of your environment.
How can you determine everyone's cost and value? Some don't care or feel
they have any need for security, thus incuring unwanted cost. This stems
from of viewing security as a defensive perspective.
>Find a way to control outside access. Either throttle it through a
>firewall, run it through router filters, or use tcpd. (in decending order
>of preference)
A fine example of a nessacary form of tyrant application and the costs
incurred.
- - - ------------------------------------------------- - -- ---
______ ______ .
.:_\___ \\_ . \_::.
Donald Moore (MindRape) . .::./ ./ // ./__/.:::. .
_<_____/<____ >_:.
Email: mindrape@home.com . \/ .
damaged@futureone.com Damaged Cybernetics
- - - ------------------------------------------------- - -- ---
