funsec mailing list archives
Re[4]: www.hexblog.com down?
From: Pierre Vandevenne <pierre () datarescue com>
Date: Wed, 4 Jan 2006 22:21:16 +0100
Good Day, SD> This puzzles me a bit. Understandable. I am willing to explain. SD> If you are storing customer data on machines your blissfully unware SD> account uses to surf the web, what has really changed? Everyone has internet access nowadays. If we wanted, we could file absolutely everything electonically (this is the e-governement project in Belgium). In many cases (Intrastat, some VAT stuff) we are MANDATED BY LAW to use electronic delivery. The Internet or, for example a private dying system called ISABEL. Ideally, I agree with you that we should have a military style network, with a totally private/segregated network for accounting purposes/customer database. In practice, is it possible? Realistic? How are Microsoft and governments evolving? Will it become more of a problem in the future. We are, in some ways, close to that. We have two connections here, totally segregated. There is one for our "corporate" network, and one for the public aspects. Different routers, different policies. How many small companies go as far as that? SD> They were vulnerable for years before the public disclosure. Agreed. But - we did our best, given the amount of knowledge we had, to tackle security issues on our side of the network. For example, Outlook has been explicitly forbidden since the 90s here. We did buy licenses for another e-mail client, based on our best judgement. So was office. We are using Lotus Worpro for example. - there are many more vulnerabilities in Windows. Given our level of expertise, we probably could up with some if our area of interest were vulnerability research. But we don't favour full disclosure. - until the day that vulnerability was fully explained, exposed and detailed for everyone to use (I, we, Ilfak) did not care much. Everyone can be exploited by a zero day vulnerability. When the knowledge became widespread, the whole story changed. We were at the mercy of not only a dedicated hacker, but also of any idiot. That makes a very big difference. Given the nature of our user base, I have no doubt anyone there could hack us (or, maybe more simply, listen to our traffic...). We could probably track it. Deterrence (and correction from our user base at work). Vandals are different. SD> They were potentially exploited during the weeks before the public SD> disclosure. Very true. That doesn't mean we shouldn't act when we are aware of it. I learned of the vulnerability as a normal user. I asked "can we do something about it?" because I didn't like the idea of being a sitting duck. It seems we could. SD> They will still be vulnerable to other known vulnerabilities, but not SD> necessarily public, after this vulnerability is patched. Very true again. Do you propose we do something about unknown zero day exploits? Switch to Linux or Mac OS X, for which I am sure - as of today - zero day non public exploits exist? SD> Ignorance may be bliss, but do you depend on it to keep your customer SD> data secure? Do you rely on yours? Are you suggesting that all businesses should, and will, in the future, implement the clever military approach (totally physically and functionally segregated networks)? I don't know. So basically, that question doesn't make sense. By definition, my ignorance is very close to infinite. So is yours. As far as I know, each and every human being is in the same position in that respect, from a generic point of view as well as from an IT point of view. We should act upon what we know. We can't act upon what we don't know. And we can make mistakes. -- Best regards, Pierre mailto:pierre () datarescue com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: www.hexblog.com down?, (continued)
- Re: www.hexblog.com down? Valdis . Kletnieks (Jan 03)
- Re: www.hexblog.com down? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 03)
- RE: www.hexblog.com down? Larry Seltzer (Jan 03)
- Re[2]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re: Re[2]: www.hexblog.com down? Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jan 03)
- Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re: Re[2]: www.hexblog.com down? nodialtone (Jan 03)
- Re[3]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re[3]: www.hexblog.com down? Sean Donelan (Jan 04)
- Re[4]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
- Re[4]: www.hexblog.com down? Sean Donelan (Jan 04)
- Re[5]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
- Re[5]: www.hexblog.com down? Sean Donelan (Jan 04)
- Re[6]: www.hexblog.com down? Pierre Vandevenne (Jan 04)
- Re[2]: www.hexblog.com down? Pierre Vandevenne (Jan 03)
- Re: www.hexblog.com down? Valdis . Kletnieks (Jan 03)
- Re: www.hexblog.com down? Gadi Evron (Jan 03)
- Re[2]: www.hexblog.com down? Pierre Vandevenne (Jan 03)