On Fri, Feb 25, 2011 at 8:06 PM, Ron Johnson <ron.l.john...@cox.net> wrote:
> On 02/25/2011 06:30 PM, John Hasler wrote: > >> Andrei Popescu wrote: >> >>> But there is no 100% way to tell the machine is clean, so you will >>> have to wipe and reinstall anyway. >>> >> >> But if the machine is in fact clean you will have lost nothing but time. >> Which is better: to know for sure that the Russian mafia got all your >> customer records or suspect that they might have but have reason to >> believe that that they probably didn't? >> > > Which is why you should run your site and databases on an obscure but very > secure OS and platform like OpenVMS/Alpha. > > All the people who used to hack on it in college are at least 45yo, far > beyond their "cracking" phase. > > funny, i had a conversation about this with someone not long ago... i don't think your examples are very good / secure. however, if you want security, you might go with openbsd. however, some services aren't ported to it. so, you might have the most secure server environment, but no way to run what you want - what have you gained? the better option is to gauge risk and to gauge how much you're likely to loose if bad things happen to you. see, if you do something stupid like talk shit about anonymous (see hbgary) your risk has gone up and you loose tons of stuff (and show that you're a security company that can't even secure your home front - oops). however, if you are a restaurant with a small web site, you are probably not getting that many visitors in the first place (defacement isn't going to cost you much), you probably aren't taking in data (no disclosure of loss of pii required), maybe you don't even have any form fields (no sql injection, xss, xsrf, etc), maybe you even host it with a hosting company so they've got their own security. so, you've got decent security by default and you're losses would be minimal. so, you'd be stupid to spend tons of money on securing your web page. by the same token, you're the restaurant, you take credit cards using square. one of your employees gets a virus on their phone and you use tons of card numbers to the russian mafia. well, you might have problems. your computers are secure, but you've lost your customers' confidence.
