note
arhuman
<br>I must have been VERY unclear:<br>
I've never said security 'it's too hard' in fact I think security is obvious<br>
(a large part of the vulnerabilities are known and categorized)<br>
<br>
I only say that most of us can't afford the cost of true security<br>
I furthermore think that saying "security is easy, you only have to do
simple things to secure your machine" is wrong !<br>
(the easy things to do, provides only weak protection against the clueless script-kiddies)<br>
It's not only wrong but it has the bad side-effect of (wrongly) making you <b>feel</b> secure.<br>
<br>
Really securing your machine is a constant/heavy process.<br>
the recipes ar known but they are impractical in real use.<br>
<br>
"<em>I'm trying to point out that many hacks are executed through very common and easily fixed vunerabilities</em>"<br>
I'd like to do it, just imagine how much time it would take to constantly check for new exploit/version and upgrades.<br> Tell me how do you <em>easily fix</em> production servers which must be runinng 24/24h 7/7j<br> (with of courses some applications incompatible with the new secure version of other applications) ?<br>
<br>
"<em>Let them use their FTP clients</em>"<br>
Ok but they want the same password for telnet and ftp, anyone with a sniffer on my subnet now has a local access on my box.<br>
<br>
"<em>Users will complain about being forced to change their passwords and to mix case, add numbers, and so on.<br> But they eventually learn and adapt.</em>"<br>
You're right they'll adapt, I can't count the number of time I caught them writing it on a post it (put ON THE SCREEN !!!)<br>
<br>
"<em>Don't let them play in a sandbox on the same machine as the one running your database.</em>"<br>
Another machine ? I can't convince my boss to give me few time,<br>
how will I convince him to spend hundreds dollars for the box/hosting.<br>
Worse ! I will now have another box to secure...<br>
<br>
<em>Explain to him the benefit of having a more educated admin/programmer.</em> I've tried he then explained me the benefit for the society of making money, he explained me how much 2 hours of security cost and how much 2 hours of coding bring us<br>
(It IS a huge error if you thing in long term effect, but my boss tend to be short sighted...)<br>
<br>
That's why I (you'll) have to think in term of efficiency(or cost, which is the right term here, as [jeroenes] said).<br>
<br> I hope you won't take it as irony or personnal attack but this is MY REALITY, and probably the one a of a lot of sysadmin...<br>
<br>
All I can say is claim it again :<br>
<b>Be security aware, especially beccause you CAN'T reach true security, and try to make things as secure AND easy AS YOU CAN.</b><br>
<br>
<br>"Trying to be a SMART lamer" (thanx to <a href="/index.pl?node=Merlyn&lastnode_id=1072">Merlyn</a> ;-)<br>
64670
64711