[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[linux-security] Re: RedHat 5.X Security Book
- From: Joseph S D Yao <jsdy gwyn tux org>
- To: scott sonic net (Scott Doty)
- Cc: linux-security redhat com
- Subject: [linux-security] Re: RedHat 5.X Security Book
- Date: Wed, 29 Jul 1998 15:12:24 -0400 (EDT)
[Still catching up after weeks away ...]
Scott Doty proclaimed:
> On Fri, Jul 10, 1998 at 07:38:43AM -0300, Grant Taylor wrote:
> [regarding <seifried seifried org>'s book]
>
> >> The only thing I can see coming out of a "checklist" security setup
> >> is a false sense of security.
>
> IMHO, this is incorrect. A "checklist", or tutorial, would help
> new users mitigate risks -- and the resulting improved security is
> real, not imagined.
I would strongly suggest that the checklist point out that it is helping
people eliminate old risks, but that (a) it doesn't cover any security
fixes found after [give date of last revision], and (b) the better the
administrator understands his or her system, the better he or she can
understand its security needs.
I'm sure that's more or less obvious here; but I think it needs to be
said.
> [1] As exploit information propagates through the
> grapevine, more and more people may potentially attack your system,
> which increases the risk of compromise. This seems to be the
> discrete case of a general security principal, where risk can be
> expressed as a function of time.
...
> If someone has heard of a discussion of "Security through
> obscurity" as a function of time, I'd really appreciate a
> pointer. Thanks.
I'd imagine that the risk would remain constant - an UNKNOWN constant,
but different for each obscured thing - until someone turns over the
right rock. After that, the risk would follow the same curve as above.
It would increase until the benefit [to the cracker] of knowing the hack
outweigh the costs. In other words, when too few systems have the risk
to make it worth knowing. At that point, the system's risk actually
DEcreases. E.g.: how many people remember the program and string used
to crack DEC PDP-11 Sixth Edition Unix, and make it give you a root
shell? [RHETORICAL QUESTION. Well, maybe not. How many do remember
them? I've forgotten the string; but I could make one up pretty
quickly.]
Joe Yao jsdy tux org - Joseph S. D. Yao
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]