[linux-security] Re: RedHat 5.X Security Book

[Kent Crispin <kent songbird com>]

On Fri, Jul 10, 1998 at 07:38:43AM -0300, Grant Taylor wrote:
> 
[...]
> 
> This is not what I said.  I merely point out that it is difficult or
> perhaps impossible to make a "checklist" that will be complete enough
> to result in a system that is actually secure.  Particularly so over
> time.

"Security" is relative.  "Actually secure" makes it a binary choice.  
It aint so.

[...]
> > I have a car. I know how to drive it. I can change flat tires, add
> > oil and gas. This covers about 99% of normal stuff. I take it to a
> > car mechanic when it needs it. I am not going to stop on the side of
> > the road, pull 200 pounds of tools out of the trunk and change all
> > the gaskets in the engine.
> 
> Absolutely.  But network security is more complex than car
> maintenance.  It also differs in that "99% secure" isn't significantly
> better than "40% secure".

?? No attacker knows every exploit, and no sysadmin knows every
exploit.  The more holes you close the more likely you are to block up
the ones that any particular attacker will know. 

"99% secure" is an almost completely meaningless statement, in any
case. 

> Anyone interested in breaking in has only
> to try out a bag of tricks until he hits that forgotten 1%.

That assumes that the attackers bag of tricks includes that forgotten
1%.  In fact, clue is not evenly distributed among the cracker
community, either.  A very few are brilliant and knowledgable, most
are not. 

-- 
Kent Crispin, PAB Chair			"No reason to get excited",
kent songbird com			the thief he kindly spoke...
PGP fingerprint:   B1 8B 72 ED 55 21 5E 44  61 F4 58 0F 72 10 65 55
http://songbird.com/kent/pgp_key.html