lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 30 Oct 2007 08:01:31 -0700 (PDT)
From:	Casey Schaufler <casey@...aufler-ca.com>
To:	Crispin Cowan <crispin@...spincowan.com>,
	Al Viro <viro@....linux.org.uk>
Cc:	Cliffe <cliffe@...net>, linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org
Subject: Re: Defense in depth: LSM *modules*, not a static interface


--- Crispin Cowan <crispin@...spincowan.com> wrote:

> Al Viro wrote:
> > On Tue, Oct 30, 2007 at 03:14:33PM +0800, Cliffe wrote:
> >   
> >> Defense in depth has long been recognised as an important secure design 
> >> principle. Security is best achieved using a layered approach.
> >>     
> >  "Layered approach" is not a magic incantation to excuse any bit of snake
> > oil.  Homeopathic remedies might not harm (pure water is pure water),
> > but that's not an excuse for quackery.  And frankly, most of the
> > "security improvement" crowd sound exactly like woo-peddlers.
> >   
> Frank's point was that the static interface makes layering somewhere
> between impractical and impossible. The static interface change should
> be dumped so that layering is at least possible. Whether any given
> security module is worth while is a separate issue.
> 
> I.e. that there are bad medicines around is a poor excuse to ban
> syringes and demand that everyone be born with a strong immune system.
> 
> Why is it that security flame wars always end up reasoning with absurd
> analogies? :-)

That's my fault, sorry. I don't know why it's my fault,
but that's where it usually ends up and I thought I'd get
the blame bit out of the way. Gotta go squeeze some legless
reptiles now.


Casey Schaufler
casey@...aufler-ca.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ