listuserseifried.org

• Next message: Bob Vickers: "Re: [suse-security] Suggestion to the SuSE security people"
• Previous message: bololupa.de: "Re: [suse-security] Suggestion to the SuSE security people"
• In reply to: bololupa.de: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: bacano: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: Bob Vickers: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: Roman Drahtmueller: "Re: [suse-security] Suggestion to the SuSE security people"
• Reply: Kurt Seifried: "Re: [suse-security] Suggestion to the SuSE security people"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Totally agreed. Mass updates in Microsoft style where one has to download
some
> 100 MBs of service packs is nonsense. From a security admin's view it is
> nonsense, too, to upgrade packages just because there's a new version out;
if
> you don't need the new features or if there are no serious bugfixes or
plugged
> security holes, updating is just a (possibly dangerous) waste of time.
[snipsnip]
> I am not convinced that such flags would be a good idea. It may lead
people to
> think that their systems without shell accounts (but with smtp, pop3
and/or
> ssh) are perfectly safe if they keep their "external" packages up to date.
If
> their freshly updated wuftpd turns out to be buggy, black hats may gain
access
> and happily root the machine by exploiting "internal" packages and their
> occasional vulnerabilities which have never been fixed properly.

Also there are many problems (like in POP, ftp for example) where a user
account is required to exploit it, making it an "internal" threat. There is
a huge difference between an anonymous ftp exploit, and one requiring a user
account.

> Personally I do not trust anyone interacting with my hosts, even less if
it is
> an internal user. According to my experiences there's a percentage of 10
to 20%
> of security breaches committed by internal or "trusted" users; "the enemy
lies
> within"! ;-)

You will find that as your perimeter security gets better (firewalls, anti
virus, intrusion detection, etc.) the percentage of attacks originating from
within will grow =).

I'm just gonna quote an article I'm writing cause I'm lazy

Security is a holistic practice, you can't just plug one hole and expect all
your problems to be solved. No matter how perfect a technological solution
you use (encryption, firewalls, etc.) as long as there are humans involved
mistakes can be made, and people you thought you could trust turn out to be
hostile in intent.

> Boris

-Kurt

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com

• Next message: Bob Vickers: "Re: [suse-security] Suggestion to the SuSE security people"
• Previous message: bololupa.de: "Re: [suse-security] Suggestion to the SuSE security people"
• In reply to: bololupa.de: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: bacano: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: Bob Vickers: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: Roman Drahtmueller: "Re: [suse-security] Suggestion to the SuSE security people"
• Reply: Kurt Seifried: "Re: [suse-security] Suggestion to the SuSE security people"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]