| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 Feb 2010 17:33:36 +0000 From: "Thor (Hammer of God)" <Thor@...merofgod.com> To: "Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>, Christian Sciberras <uuf6429@...il.com>, full-disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Risk measurements > Well, yeah. I suppose it's *possible* that your system's weak password > system will allow a hacker to get in, and from your system hack into > the LHC and control it to spawn a black hole that eats the Earth. And > even that is still a finite, not "infinitum". I'll site the 2009 Verizon Business Data Breach Report: 74% of breaches were external; 67% had some aspect of user error on the victims part as the primary reason for breach - things like default passwords and SQL injection (so very sad). Of those 98% contained SOME level the aforementioned. 83% were not difficult, and 87% could have been prevented by *simple intermediate controls*. Those are "real world" figures, and they speak to the real problem - the configuration and deployment of the systems in the real world as they stand, and NOT 0days, or l337 hacks. > It's also pretty fucking unlikely. Most of the time, the analysis > sticks to reasonably predictable outcomes - the cost of a critical > server being down for X number of days, the cost of > penalties/fines/lawsuits if there's an exposure, the cost of bad PR, > etc. At some point, you have to forget about the movie-plot scenarios > and restrict yourself to the shit that actually happens in real life. > If a given result hasn't been reported in the trade press in the last 5 > years, you can probably not worry about it. I totally agree with the "real life" aspect of this. Understand that I'm NOT against risk modeling - the whole thing is a model up until the point that something happens. I assert that you can't take a generic solution and plug it into some formula to get a "risk number" on the other side - well, specifically, you can DO that, but the number won't matter insofar as any system in particular is concerned. More on that in a sec. > Why do people understand how buying insurance works, but have trouble > understanding that security is the same sort of trade-offs? In both > cases, it's the same sort of risk modeling and analysis. Because insurance applies to them PERSONALLY. Insurance protects me. I understand that. I also understand that insurance companies make money because they get paid a lot to protect other people that never need a payout. But I don't care about that, nor do I need to understand exactly HOW the insurance company makes money - I care about it when it happens to ME, and know that I am personally protected by it. I think a better analogy here is not the insurance industry, but rather, Vegas. Before I go there, I'll stipulate again that one cannot use a formula to determine any real value of a *particular* system being compromised - not one that can be applied to any other system, that is. In other words, the same formula cannot be used against two different systems and have valuable results in both cases. Now, that does not mean that you can't look at all systems together and maybe determine some overall level of exploitation (as is just NOW being suggested by others in the new title of this thread). I KNOW you can do that, but it doesn't "solve" anything. Vegas knows that they will win some, and that they will lose some. They also know that statistically, they will win more than not. Over time, this adds up as hard cash. However, the model won't determine the outcome of any particular game or hand, nor more importantly, the affect the loses have upon the losers. Nor does a On e Size Fits All risk model of compromise. I have no doubt that after Dr. Wright ciphers up this model, that it will be purchased by someone. If he does it "right" then there won't be any provable outcome one way or the other and the sale can be defended. It's a great marketing idea, and people with big bucks will buy it. But it won't solve anything at all in the "real world." Alien abduction insurance SELLS. It really does. But that doesn't mean it has any value. The thing is, large companies already know this. And they don't care other than how it affects the bottom line. Having a probability model to tell them something they already know won't matter. Systems will be breached, people will be fired, and others hired to replace them, and lots of "busy" work will be done. So I guess it all depends on what the GOAL of such a system is. To me, I want to keep my job. I'll do that by having systems and procedures in place that prove I can maintain a system without it getting breached. I want YOU to have a job, so that you can buy the beer when we sit down together at a conference and shoot the shit. Pretty models don't let us keep our job. They are great to look at and fun to burn hours on, particularly when we're getting paid, but there is no real payoff other than the process of doing it. When I was a kid, I built a model of an F-4 Phantom. It was gorgeous. The paint job was beautiful, the gear worked, the cockpit opened, and the pilot even came out to inspect the plane before my cat ate him. Anyone who knew anything about fighter aircraft could look at it and immediately know it was a F-4 Phantom, and a damn beautiful one at that. People would have paid money for it, I bet. Did it fly? Nope. t _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists