[ from the what-are-they-taking? dept. ]
So this Unisys guy gives yet another boring seminar on “Web Security”. Covers the basics with little extra adventure and uses the wrong terms, as usual, for the benefit of the Computer Scientists listening. All based upon Microsoft, IIS, and other horrible shit. Quite sickening.
Now this was not as bothering as the session afterwards where there was some live demonstration. He proceeds to login as “Administrator” on a “hardened laptop” (it had Zone Alarm software installed) and spout fantastical shite about Microsoft security. I offered to secure an Apache system in 5 minutes (and I meant it) which would compete with his IIS setup…apparently it took six months to define templates to prevent access to the filesystem. In any case when I asked why he could not simply use a chroot jail my question was brushed over. Microsoft Windows does not do that kind of thing properly, you see…
Either this guy had never heard of capability sets on Windows and sudo on UNIX or he did a great job of ignoring it. Extolling the virtues of ACLs in response to my questions was interesting – given that most modern UNIX systems also support ACLs and Extended ACLs, and even permissions affecting other system objects – Linux has Trusted Path Execution, NSA Linux does funky shit and then there’s always Trusted Solaris.
I did point out that his repeated mentioning of buffer overflows was a moot point on systems where adequate protections are in place – through stack guarding software combined with non-Intel stack frame layouts – and that he was ignoring the potential for vulnerabilities in third party software and libraries which he had no access to.
Apparently “nobody buys Linux stuff” or Solaris, or infact any non-Microsoft products – at least that was the view of one Unisys drone.
Vomit inducing.
Jon.
