I said, that this was an an example of the loss of historical data we experience in network security. I pointed out the the "classic" is Bill Cheswick's, "crunchy shell around a soft, chewy center. (This is from "The Design of a Secure Internet Gateway," whose date is not stated in the version I have.")
At this point, you're perhaps thinking that I sound like a grouch, I grouched about it because I am a grouch. Well, maybe.
In my defense, please see some previous blog entries. I referred to this as a problem in this blog entry from 20 Sep 2004. That entry references an earlier blog entry Security Redux and a column I wrote.
In response to my firewall-wizards posting, Dr. Tina Bird, e-mailed the following:
2004 compromises look very similar to 1989 compromises: bad passwords, insecure configurations, unpatched software. For example:Thanks, Tina. I wish it weren't so.
"Recently, the CERT/CC has been working with several Unix sites that have experienced breakins. Running tftpd, accounts with guessable passwords or no passwords, and known security holes not being patched have been the bulk of the problems." - October 17, 1989
So let's see:
It's not an OS insecurity issue, it's the bloody humans!
- the Agobot family of Windows exploits -- bad passwords
- Blaster/Sasser/SQL Slammer -- unpatched software
- hordes of exploits propagating over peer-to-peer apps with insecure configurations...
References for compromised machines from CERT: