| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 13 Oct 2007 03:26:21 +0200 (CEST) From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz> To: imipak <imipak@...il.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: The Death of Defence in Depth ? - Aninvitation to Hack.lu On Wed, 10 Oct 2007, imipak wrote: > The problem - well, *a* problem, anyway - is that there are two > contradictory axioms in infosec that are regularly cited to support or > attack a particular strategy. > > "Defence in depth" The lines of defense are as independent as possible. The enemy does not win unless all of them are defeated. Formally, the attacker has to satisfy a conjuction of conditions. > "A chain is only as strong as it's weakest link". The links of a chain are dependent. The chain falls apart as soon as any of them are broken. Formally, the attacker has to satisfy a disjuction of conditions. There is no contradiction. You should try making the components of a secure system as independent as possible, and any residual dependencies should always go from less secure (and less important) components to more secure (and more important) components, never the other way. It was not difficult. Was it? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists