Want a Fast Computer 1339

Morten Reistad

SNIP

Want a Fast Computer 1340
CBFalconer I remember the day, I think it was in fourth grade which would have made it about 1957, when we...

firewall with current any

My work laptop died sometime before Xmas and I've been using this here unloved Windows XP laptop instead... Fully patched + up to date, Adaware, Spybot and AVG running (and up-to-date)... I noticed IE was being a bit funny accessing hotmail, so I look at the task list... "bargains.exe", installed about 14 months ago (and everytime I rebooted as I found out). I spent a day trying to find a utility that would remove it, none did. In the end I ripped through the startup stuff and wiped out everything that I didn't recognise... Not for the faint-hearted, god only knows how the average Joe in the street would do that...

Yet another confirmation of my theory that Virus Scanners and Firewalls are part of the problem, not the solution. The only way forward from here is to make sure the entire software stack is secure by design (and the installations are secure by default)... And that leads me back to finding a way to represent Trust and manage trust relationships between tasks and the user. ACLs aren't cutting it, clearly. The UNIX method (usersgroups) works fine if the sysadmin is a dragon, the vendor keeps the patches coming and the applications are written by people with a clue (not likely given the complexity of modern apps).

I don't particularly like sandboxes because they have a habit of peeing users off, so they tend to get subverted or disabled by the users (plus vulnerabilities crop up anyway)... I figure the "parbreastioning" thing could work quite well, but you still end up with problems when you want to swap data between parbreastions (the trust thing again). Stuff like OpenBSD's systrace is very powerful, but the setup is daunting even with canned profiles...

Want a Fast Computer 1341
Charles Richmond) writes: We graduated from pencils to pens in the 4th or 5th grade, which for me...

So far the only thing that I've found that offers any hope are Capability systems (systrace + ACLs can go some way towards faking this). However I fear that Capability systems will pose similar setup & management challenges to the systrace+ACL route.

My conclusion is that adequate *enforcement* mechanisms are already widespread, but the management and software architecture is utterly wrong-headed. The place where I want to see progress is on the system administration side of security management. Firewalls and Malware scanners are at best a sanity check, the only payback they offer is when the system administration has failed. :(

There doesn't seem to be anything like enough effort being put into making the secuity aspects of system administration manageable. OpenBSD's "secure by default" mantra is a great start but it doesn't really go far enough, because this isn't *just* an OS issue, it's an application and user issue too.

Cheers, Rupert

List | Previous | Next

Want a Fast Computer 1340

Alt Folklore Computers from Newsgroups

The #1 Usenet Provider on the Internet

Want a Fast Computer 1338

PLEX86 x86- Virtual Machine (VM) Program


	CVS \| Mailing List \| Download \| Newsgroups

		Want a Fast Computer 1339 Morten Reistad SNIP Want a Fast Computer 1340 CBFalconer I remember the day, I think it was in fourth grade which would have made it about 1957, when we... firewall with current any My work laptop died sometime before Xmas and I've been using this here unloved Windows XP laptop instead... Fully patched + up to date, Adaware, Spybot and AVG running (and up-to-date)... I noticed IE was being a bit funny accessing hotmail, so I look at the task list... "bargains.exe", installed about 14 months ago (and everytime I rebooted as I found out). I spent a day trying to find a utility that would remove it, none did. In the end I ripped through the startup stuff and wiped out everything that I didn't recognise... Not for the faint-hearted, god only knows how the average Joe in the street would do that... Yet another confirmation of my theory that Virus Scanners and Firewalls are part of the problem, not the solution. The only way forward from here is to make sure the entire software stack is secure by design (and the installations are secure by default)... And that leads me back to finding a way to represent Trust and manage trust relationships between tasks and the user. ACLs aren't cutting it, clearly. The UNIX method (usersgroups) works fine if the sysadmin is a dragon, the vendor keeps the patches coming and the applications are written by people with a clue (not likely given the complexity of modern apps). I don't particularly like sandboxes because they have a habit of peeing users off, so they tend to get subverted or disabled by the users (plus vulnerabilities crop up anyway)... I figure the "parbreastioning" thing could work quite well, but you still end up with problems when you want to swap data between parbreastions (the trust thing again). Stuff like OpenBSD's systrace is very powerful, but the setup is daunting even with canned profiles... Want a Fast Computer 1341 Charles Richmond) writes: We graduated from pencils to pens in the 4th or 5th grade, which for me... So far the only thing that I've found that offers any hope are Capability systems (systrace + ACLs can go some way towards faking this). However I fear that Capability systems will pose similar setup & management challenges to the systrace+ACL route. My conclusion is that adequate enforcement mechanisms are already widespread, but the management and software architecture is utterly wrong-headed. The place where I want to see progress is on the system administration side of security management. Firewalls and Malware scanners are at best a sanity check, the only payback they offer is when the system administration has failed. :( There doesn't seem to be anything like enough effort being put into making the secuity aspects of system administration manageable. OpenBSD's "secure by default" mantra is a great start but it doesn't really go far enough, because this isn't just an OS issue, it's an application and user issue too. Cheers, Rupert List \| Previous \| Next



		Want a Fast Computer 1340 Alt Folklore Computers from Newsgroups The #1 Usenet Provider on the Internet Want a Fast Computer 1338