[WEB SECURITY] Re: [Full-disclosure] comparing information security to other industries

Michael Zimmermann zim at vegaa.de
Sun Dec 24 19:07:30 EST 2006


Hi Brian,

you answer from the viewpoint of somebody engaged in 
modern 'computer security'. But with the phrase 
"at large" I was meaning a more global view:

Two thirds of the PCs are estimated to contain
malware. We are so used to receive all kinds of
virusses, worms and trojans, that we NEED antivirus 
scanners and firewalls. Those defences are like
medicine, which you MUSt take - and the more medicine
you have to take, the more ill you are.

In the early 1980ies it was _unthinkable_ that a 
program would run on your systems, which you 
wouldn't know it existed and had installed for 
yourself. Nowadays it's the rare exception, when
a user knows what is running on his PC (and a
professional system admin, who knows every program
executing on his machine is also a rare thing, 
I think).

Complexity has grown, but our basic security
structures in hardware and software have have not.
Unix/Linux security is based on the classic Unix 
design (was it 1974 when it was published?), DOS
security is an unborn child while Windows security 
is not better than than of Linux. 

Why?

The Intel hardware for PCs was chosen on the basis 
of marketing thinking and not because it was 
technically better than it's alternative - nothing 
to say about security concerns. An executable stack
with decreasing addresses, unprotected memory and 
totally missing permission-scheme in the IBM PC and, 
and, and...

Marketing/money decision ruled the IT-Industry
since the first IBM PC was sold. Yet there have
existed better system- and hardware-designs
even before the IBM PC. Just to name two:
Motorola processors or the Multics OS.

Brian, IMO your argumentation is not a solution
to improve over-all security but is symptomatic 
for the lack of it.

A lot of patch-work and no broadly accepted
security concept. Only during the last years
that situation is changing slowly - but not
yet in the Windows realm. But a functioning 
PC security is needed IMO, at least I don't
want to live with a net, where hundred-
thousands of zombies can bring my server
down any moment or flood my MTA daily with
thousands of crap-email. These daily fights
may create a sort of dynamice equilibrium,
but are not what I call "security" or "stability".


Greetings
Michael


----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]



More information about the websecurity mailing list