funsec mailing list archives
Re: whitehouse cyber strategy review
From: Rich Kulawiec <rsk () gsp org>
Date: Sun, 15 Nov 2009 21:06:48 -0500
On Sun, Nov 15, 2009 at 08:09:37AM -0500, Larry Seltzer wrote:
We're getting off-track here, but your experience is, at best, many years out of date.
Maybe. Or maybe several years ahead. I suppose we'll see. Look, I'm *well* aware of the myriad issues involved here, and I am by no means suggesting that this is a panacea. There is no panacea. I'm simply pointing out that Microsoft has proven to my satisfaction that they're incapable or unwilling to step up, and I see no reason to continue re-running the experiment over and over again when we already know what the result will be. Let's run a different one, so that if/when we fail, we at least have the novel experience of failing in a different way. And yes, to Dan's point, I know that even if we start with a solid base OS but then layer it with PHP and Apache and MySQL and a zillion other things, that the end result may be swiss cheese. But (a) I think we have a fighting chance of at least containing the problem on 'nix and (b) there are a bazillion desktops that don't need any of that. Give 'em a base OS, Firefox (with NoScript, AdBlock, TACO, etc.), Thunderbird and OpenOffice, which at least limits the attack surface to those applications. And restrict access to that surface by judicious use of things like HTTP proxies and SMTP abuse controls. Again: not a panacea. But a considerable improvement. It gives defenders a fighting chance, whereas today they've got none. My larger point, though, which may have been lost in my sarcasm, is that sticking with Windows guarantees failure. No matter what else is done, no matter how it's done, the result will be failure. So even if the alternatives only offer a 1% chance of success (to randomly pick a number), those long odds are still preferable to 0%. To put another way, the same-old same-old is NOT gonna get it done. Radical thinking and radical approaches are needed. If not my suggested radical approach, fine, then another one, any one. It can't possibly be any worse. I mean, the security track record of the federal sector to date is rated "F" only because there's no lower grade available, and frankly, that's rather charitable. But of course that won't happen. Conceiving it is well beyond the capabilities of the feeble intellects that make decisions within the Beltway. And there's WAY too much money to be made by maintaining the status quo, modulo a few buzzwords. And so there will be more of this (courtesy Richard Forno's InfoWarrior list tonight): 14 tech firms form cybersecurity alliance for government Lockheed Martin, top suppliers launch initiative for government market Garbage. Utterly worthless garbage. I don't even have to read the details to know this, because I've seen this movie a dozen times and it always ends the same way: "full of sound and fury, signifying...nothing". But I'm sure it's great for the pigs feeding at the trough. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: whitehouse cyber strategy review, (continued)
- Re: whitehouse cyber strategy review rick wesson (Nov 14)
- Re: whitehouse cyber strategy review Larry Seltzer (Nov 14)
- Message not available
- Re: whitehouse cyber strategy review Larry Seltzer (Nov 14)
- Message not available
- Re: whitehouse cyber strategy review Larry Seltzer (Nov 14)
- Re: whitehouse cyber strategy review Larry Seltzer (Nov 14)
- Re: whitehouse cyber strategy review Robert Graham (Nov 14)
- Re: whitehouse cyber strategy review der Mouse (Nov 14)
- Re: whitehouse cyber strategy review Rich Kulawiec (Nov 15)
- Re: whitehouse cyber strategy review Larry Seltzer (Nov 15)
- Re: whitehouse cyber strategy review Rich Kulawiec (Nov 15)