-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 19 May 2004 10:00 am, Eric G Ortego wrote: > Bryce T. Pier wrote: > >I'm not going to further a MS vs unix argument but my point still stands > > on windows. Yeah IE and windows have a lot of holes but as a security > > conscious admin or manager you don't just say "well hell, lets put on > > anything we want, 200 potential holes isn't any worse than 100". IT > > business security is of utmost concern whether its protecting windows, > > Unix, open source software, etc. The same principles and practices must > > be followed. It's not a developers ass on the line if there is data loss > > at your company. > > That depends on the company. When data collection is what the software > was developed to do, data loss is an important issue for the developers > as well as the sys admins.
Absolutely, but that's being much more specific that I meant. I would suspect the data collection software is less frequently attacked than the OS it's running on or other exposed services. > >Configuration control isn't nearly as important as other security > > measures. > > I would have to strongly disagree, misconfigured software can expose > alot more holes. Chrooting can help even the most vulnerable or > misconfigured systems but even a poorly configured chroot can be > somewhat pointless. Stack-smashing-protection like > http://www.trl.ibm.com/projects/security/ssp/ can secure some of the > buggiest apps but misconfigureing the app can netgate those protections. My point wasn't that configuration wasn't important, it was that you should use as many layers of security of different types as possible (which is really more important). Such as chrooting as you said, etc. Just knowing that your configuration of an app is rock solid isn't enough. If an exploit is found in that app's handling of input for example, the configuration of the app doesn't much matter. Which leads us back to my initial point that IT departments of most companies won't just install new packages without very good reason because standard security practice is to remove as many packages from a system as possible. Don't take my word for it, see http://www.linuxjournal.com/article.php?sid=7448 from this months LJ as just one example. - -- Bryce T. Pier [EMAIL PROTECTED] We are dreamers, shapers, singers and makers. We study the mysteries of laser and circuit, crystal and scanner, holographic demons and invocations of equations. These are tools we employ and we know many things. -Elric, Babylon5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFAq4wkoNTOIKp/8CURAgRHAJ920ezzVasBkEzcAx7ZVHYja+OpqwCfUCk+ pa7BCToEasadQakzjcry87c= =bCfA -----END PGP SIGNATURE-----
