[kwlug-disc] OpenVPN (Was: Re: firewall question)

Thu Feb 19 01:18:39 EST 2009

Cedric Puddy wrote, On 02/19/2009 12:25 AM:
> Sure, unless you happen to subscribe to the view that most VM 
> implementations are terribly insecure... (Why is it that any attempt to 
> reach for certainty while in the presence of the concepts "computing" 
> and "security" suddenly turns into an Alice in Wonderland adventure?)
.
.
.

Thank you for that. Hilarious.

The biggest 'problem' with "computing security" is FUD.

"Somebody might hack us ... we have to protect ourselves!"

As I noted elsewhere ... the significant problem is ... how would you 
know if you were? Was that data error due to a hacker, or somebody 
transposed digits? (Taking out the "it won't turn on" scenarios.)

Qualifying and quantifying the risk seems to go out the window (and to 
Alice and Wonderland we go). Never mind that the cost of the proposed 
system would be more than the cost of a steno pool retyping in the 
data by hand.

The security industry has done a good job: Oh no, there are viruses 
out there!

Industry itself, in a sense, has not done itself any favours - no, 
let's not let anyone know that we got hacked. (So nobody can get a 
handle on the risk or likelihood of getting hacked themselves.)

Things like the credit card information scandal (Winner's parent ... I 
can't think of the real names at the moment) don't help.

So you have an unknown risk, and an unquantified down time (bet your 
business) possibility. You try and protect yourself.

But how much is enough? We don't know.

Is your vm _likely_ to be hacked? No. If it is hacked, are they 
_likely_ to be able to do anything more than bring down the vm or the 
machine? No. Even if that happens, can you live with the less than 24 
hours before somebody notices and reboots the machine, and copies the 
good backup copy of the vm? Probably. (But how do you know the good 
backup copy isn't corrupted too?)

Do you want to be the one who let the unlikely actually happen?

"Nobody got fired for buying IBM."

What are you more at risk for:
- spilling a pop on a server keyboard?
- someone else deleting your critical document (such as the 
presentation you have to do tomorrow), including those cases where the 
someone is you?
- someone tripping over a computer and now it won't boot?
- getting a paper cut?
- your child trying to help you with the computer?
- getting hacked?
- physical computer theft with critical or confidential data on it?
- accidentally replying to everyone in the company?
- forgetting your keys (to the server room)?

http://en.wikipedia.org/wiki/Business_continuity_planning
http://en.wikipedia.org/wiki/Recovery_time_objective
http://en.wikipedia.org/wiki/Recovery_point_objective

80/20 rule?

And let's not hold the ISP's feet to the fire. DoS attack? How was it 
even allowed to get through the ISP? We'll just leave SPAM alone for 
this thread.