Re: firewall-wizards Digest, Vol 64, Issue 3 phishing

["Stephen P. Berry" <spb () meshuggeneh net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Dave Piscitello writes:

> I think your premise - that we are comfortable with this architecture
> - is wrong, at least for this choir.

Well, the recommendations are coming from the list.  If you're going to tell
me that sometimes we recommend things that we're none too happy about,
I understand.  But I still think it's a problem.  We would reduce the
number of real-world information security problems by -at least- a factor
of ten if we simply stopped doing things that we, collectively, know are
wrong.  I don't say that casually, and I think it's one of those things
that is a)  profoundly shocking, and b)  steadily getting worse rather than
better.

And here, as before, I mean `we' in the collective sense, all
network/information security types out there working.  I'm not trying to
single out anyone on the mailing list, and I'm not trying to exclude
myself.  My argument is that the -structural- security of our networks
is, as a general rule, getting worse and worse and no matter how much
we tell ourselves it can't be helped and no matter how many spiffy
quote security unquote quote appliances unquote we allow vendors to
sell us this is still the fundamental reality.  


As far as virtualisation goes, I think it's a profound missed opportunity.
In principle things like AWS AMIs make doing minimal footprint, application-
specific OS installs with everything unnecessary turned off, central logging,
behaviour-based auditing based on a known-good baseline, and all those other
things that used to be comparatively expensive to do much MUCH more
straightforward.  But of course this isn't how, as a rule, virtualised
deployments are architected because doing things this way just isn't
even in most organisation's decision tree.

I reallise that I'm probably doing two stupid things here:  preaching to
the choir, and complaining about a problem instead of fixing it.  But
this is something that I feel like I've spent years and years throwing
effort at it (professionally, in contributing open source code to the
community at large, in mentoring other sysadmins/network admins, participating
in SAGE back when they were still a going concern, and so on) and things
just keep getting worse and worse.


- -spb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEVAwUBUWzLrB+T8Ptkg9h9AQIc4ggAlwZcxqcCzEqBWc+RJZB+YqajnZcLOOFC
FiXpK0ZdazVw6sAqpwaWTbF6+O+rJp8TlzxSBm4H/PdJqBWYI5VPv2QQ7rQGKw7i
JPj18BmItLllL0OYFzeBMOc7Q6+UHYeh2kr1Fwba9qEzR6hfYPV8zCzU0LwBRlAi
4fb74PBDDJQ/kb2dzrBfYL8tyNi+gGMTscv3KtCwbPMk7KnwFQJdXsqgCINeXeUR
zxeW84zs19CVVIhCg0zjd5WncwswdGlwu+6DL6TfceJWYehJvODJZOMKyMo0DADc
OAfBDBfKnrV4hQIh2Jahr8s1fn5F7zRkSc8XPx1AyMQoA4n/DXJpDg==
=Pdx/
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards