| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Oct 2007 23:20:27 +0000 From: gjgowey@....blackberry.net To: "Eric Rachner" <eric@...hner.us>, full-disclosure-bounces@...ts.grok.org.uk, full-disclosure@...ts.grok.org.uk Subject: Re: The Death of Defence in Depth ? - Aninvitation to Hack.lu I think reducing size and enhancing security do not belong in any document that regards security. If you are relying on one solution as a cure all then you're doomed to failure. This is because all products have bugs and problems and having only one uniform environment to work with is a fertile ground for a disaster. This is not a hypothetical thought either. I had one employer who once did not patch his windows systems properly. Mind you he had antivirus protection, but it didn't save him. A worm got loose and it went through 5 sites worth of win XP systems like a blow torch through butter because the connectivity was free and clear between them (nice fat OC-192s no less). I prefer to abide by a saying that I once read on a fidonet posting: never have more than 10% of one companies product, never be more than 10% of one companies business. Geoff Sent from my BlackBerry wireless handheld. -----Original Message----- From: "Eric Rachner" <eric@...hner.us> Date: Sat, 13 Oct 2007 00:49:03 To:<full-disclosure@...ts.grok.org.uk> Subject: Re: [Full-disclosure] The Death of Defence in Depth ? - An invitation to Hack.lu $0.02: "Defense in Depth" means *reducing* attackable surface, *reducing* execution privilege, *reducing* complexity, etc. If you guys are criticizing the ongoing trend towards enterprise-wide AV monitoring and routing all network traffic through SSL-terminating deep-packet-inspecting content-filtering 1U rack mount appliances, well, that's more like the exact opposite. That's more surface area, more complexity, and more privilege. I'd call it "Defense in Breadth." - Eric Thierry Zoller wrote: > Dear Felix, > While I love your comment and really welcome constructive criticism, > I actually think you should keep the focus on the Fox News style > question marks. Nowhere is being said that this is the end of > Defence in Depth (as a paradigm), we ask the question. > > Then again you seem to be judging about something you haven't seen > nor read. Is this because I ask the Fox News style questions and you > give Fox News style comments ? > > FFL> the title is misleading at best. > While I have the upmost respect of your person, in this particular > case, I am sorry dude, but how can you tell ? Have you seen the > presentation? Have you heard the conclusion? I don't think so? > Though you are more than welcome to see it :) > > FFL> Defense in Depth has nothing to do > FFL> with security software. > In a certain sense it has. Defence in depth is a Paradigm as not only > applied to how you design software but also how you implement solutions. > The talk is about reality, not an RFC or CISSP Definition. > > FYI, while certainly not a reference, here is what Wikipedia has to say: > "Defense in Depth is an Information Assurance (IA) strategy where > multiple layers of defense are placed through out an Information > Technology (IT) system and addresses personnel, technology and > operations for the duration of the system's lifecycle." > http://en.wikipedia.org/wiki/Defense_in_Depth_(computing) > > FFL> To the contrary. The paradigm describes an > FFL> approach where you assume that invidual (even multiple) elements of your > FFL> defense fall, in the worst possible way (which could be code > FFL> execution). > Thank you for the definition, though I must let you know I am fully > aware of it. (I miss an mandatory RFC link) The presentation will > talk of exactly that "...assume.. multiple elements of your defense fall" > > What currently is being done in the industry is to ADD more layers of > defence to protect against one failing, this is being done by adding > one parsing engine after the other. Again nobody said Defence in Depth > is wrong in itself, it's just the way the Software Industry has led > companies to implement it. _This_ is the point. > > Don't get me wrong, defence in depth as general Paradigm is perfectly > fine :) But you would have had to listen to the talk to draw that > conclusion, this is what I find most irrating about your comment. And > it raises a big question mark as to your motivation for this public > comment. > > FFL> What you are describing is people adding security software > FFL> _instead_ of applying a thorough defense in depth design. > I am describing nothing Felix, you are judging about a Presentation > _you have not even seen_. How dare you !!! ==)))) > > FFL> Your presentation title suggests that one of the very few paradigms > FFL> that actually promises long term security benefits does not work. > Felix I am suggesting nothing, your are taking a friendly invitation > as reason to bitch about how you THINK the talk will be given, though > you have no clue. > > FFL> Wrong. I suggest you find a better title. > Zu befehl ! =) > > The title fits the presentation perfectly, I find it rather arrogant > and bloated to comment in this way and fashion on a public mailing > list. I welcome any other comment to my personal Inbox, Phone, Fax > whatever, I will ignore any other comment by public means before > the actually talk was given and there is actual substance to start > a discussion. I would have loved to receive a question before you > shoot. > -- "If we knew what it was we were doing, it would not be called research, would it?", Albert Einstein _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists