On Tue, 2006-03-07 at 23:48, Michael H. Warfield wrote: > You want to ignore fundamental security principles at your convenience > and use other security vectors and principles as your defense. You've > got a "patch it" mentality. Patch it and you can ignore other basic > security principles. More to the point, you can actually use the service when you need it. > But modern security takes "defense in depth" as > axiomatic. This you choose to ignore. Ignore it your peril. What you are ignoring is that if nobody runs services they won't be fixed when you do have a need for them. > Patching helps, but defend against the unknown holes as well. > Firewalls help, but so does tcpwrappers. They do the same things but > differently. So use the both. When one thing fails, the next defends > you. They can't break in through something you didn't install. If they > break in, they can't exploit some stupid asinine local exploit to gain > root and install a root kit on your ass. It happens. It has happened > and it will happen. And it will keep happening until the code is fixed. Then it stops happening. The code won't be fixed if no one runs it. -- Les Mikesell lesmikesell@xxxxxxxxx
