Inadequate documentation and knowledge

• Next message: RCC: "Re: We've been compromised, now what..."
• Previous message: Dazza: "Re: We've been compromised, now what..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: foobar@asia.com (C Colon)
Date: 28 May 2002 23:27:51 -0700

If you look at vendor documentation for any kind of product, be it an
operating system, an application system, or just a network device,
what comes across strongly is that all vendors bring in a lot of
effort to make the entire document jazzy, feature rich, and fantastic
to look at. But is this *really* helping?

What all these documents lack is a seriousness to point out the risks
of leaving security loopholes. While it might mention that passwords
should be of such and such length, it will not try and document why
passwords should have a minimum length and what are the potential
pitfalls and business risk implications. Have any one of you come
across any operating system which warns the user against unsecure
configurations during installation? I would say No, 99 cases out of
100. Even then, I am optimistic!!

How many operating systems vendors even disclose to each purchaser
that a 8 character long password would take so much time for cracking
with such and such configuration? I'm just providing an example here.

While vendors talk at length about how security is paramount, they
would still go to great lengths to make a multimedia file work on your
computer, rather than work towards providing a secure computing
environment without having to try very hard at things such as proper
configuration management, site hardening, et al. While these do keep
us in the security business busy and provides us with the moolah which
makes our life happy, have we gone so far into commercialisation that
we sell faulty parts to keep our service departments happy?

What would help? Search me - Perhaps a worldwide forum of like minded
individuals would be powerful enough to tell vendors that preaching
security is nowhere near practicing and enforcing security.

Regards,
C:\>
-----------------------------------------
Kindly post replies to the newsgroups
itself

• Next message: RCC: "Re: We've been compromised, now what..."
• Previous message: Dazza: "Re: We've been compromised, now what..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Question re: load balancers as a security device ... them facing an external network with unknown security implications. ... In the case of managed services I've found that vendors try very hard ... to standardize the implementations they manage. ... understanding of the architecture, traffic, configuration of LBs, etc. ... (Pen-Test) Re: [Full-Disclosure] Microsoft Cries Wolf ( again ) ... >> vendors stepup up to the plate with a better commitment to responsible ... But, then just the week following my posting, Dell comes out stating they ... ongoing quest to make security less expensive and more effective. ... has proven that vendors can take the initial security configuration load ... (Full-Disclosure) RE: [Full-Disclosure] Microsoft Cries Wolf ( again ) ... >> vendors stepup up to the plate with a better commitment to responsible ... But, then just the week following my posting, Dell comes out stating they ... ongoing quest to make security less expensive and more effective. ... has proven that vendors can take the initial security configuration load ... (Full-Disclosure) Mai-Co^-So^p cu~ng cho*i do*... ... But the latest fight over its upcoming Vista operating system pits ... Microsoft against an unlikely adversary: the security software vendors ... (soc.culture.vietnamese) Microsoft Partners Angry About Vista ... Microsoft partners fuming over Vista ... But the latest fight over its upcoming Vista operating system pits ... the security software vendors ... (comp.dcom.telecom)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint