Wayne Earl wayne@qconcepts.net
Mon Jan 27 07:18:34 PST 2003

On Sun, Jan 26, 2003 at 10:20:09AM -0500 or thereabouts, Shawn McMahon wrote:
> ssh is your friend; these applications are not.  I'm assuming you
> don't mean "point of sale".  :-)

Oh really? I know of companies that have had dozens of compromises
because of code screw ups with OpenSSH.

Don't fall into the "it's secure because we use crypto" trap. This is
almost as foolish as the "it's secure because the source is open"
trap. Fact is, Sturgeon's Law applies to software as well - 90% of
everything is crap.

> You should never have ANY capability exposed to the Internet that
> you don't absolutely need. 

Yup. No system, open or closed, can be provably secured. All a
sysadmin can do is to stay vigilant, and try to continuously raise the
bar, making it progressively more difficult for an attacker to
compromise a system.

As far as I can tell, anyone else who has tried to tell me anything
different was either ignorant or trying to sell me something.

Wayne Earl <wayne@qconcepts.net>
gpg public key: http://www.qconcepts.net/key.txt
gpg key fingerprint: 3CE4 0558 635E DADB 327C 73AB 11CA 9A6B B209 E8C5

More information about the linux-elitists mailing list