[
Lists Home |
Date Index |
Thread Index
]
> That seems to say that in no case should one risk
> any resource of critical value by putting it
> on the web because eleven men so inclined can
> always do it harm and this isn't a cost vs
> benefit issue.
No, security is a risk-management issue. If a dozen men can take me
down for a day, and my daily revenue is $10/day, then it's not worth
spending more than $10 to fix the problem.
> the overwhelming majority of defense in in the
> social behavior of those outside one's own control,
> that is, ensuring a system cannot be used to host
> an attack.
Yup. Unfortunately, the dominant desktop platform makes it very
difficult to ensure this. Esp when you consider how many VCR clocks
still blink 12:00. Consider it a case study as to why security and the
Internet should not just be grafted on to an existing product that had
no concept of "them," just "us."
> Is that really the case? I read that Microsoft
> was able to defend their servers this time
> although SCO could not.
The virus was pointed at specific IP addresses (doing DNS lookups would
have been too costly and obvious, I think). Microsoft didn't defend,
but they "ducked" by going to a new IP address. SCO failed to defend
themselves because they added a new name that pointed to the same IP
address. That was stupid and pointless.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
