lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050323180950.A20A082586@mx01.forces.gc.ca>
Date: Wed, 23 Mar 2005 11:24:14 -0500
From: Arndt.WA@...ces.gc.ca
To: jasonc@...ence.org, gillettdavid@...a.edu, jericho@...rition.org
Cc: sberinato@....com, full-disclosure@...ts.grok.org.uk,
	isn@....org, bugtraq@...urityfocus.com
Subject: RE: [ISN] How To Save The Internet


Jason Coombs wrote:
> 
> David Gillett wrote:
> > are the various rights of the owner
> > of the CPU, the *operator* of the
> > CPU, and the owner of the *data*,
> > each of whom may have a more or
> > less legitimate say in what code
> > actually gets executed.
> 
> Nonsense. Absurd, ridiculous nonsense.
> 
> There is only one party who has any say over what code gets 
> executed by a CPU: the owner of that physical property.
> 
> Everyone else can go fly a kite.

Hold on. If you're dealing with a large company or government
department, who "physically owns" the computer in question,
you can't tell me that they're going to micromanage exactly
what goes on with that system. They'll delegate the authority
off to someone who'll actually run the equipment. That sounds
like an "*operator* of the CPU" to me...
> 
> Take your intellectual property fantasies and your heady 
> legal concerns to law school, they have no place in security 
> technology.

I don't read "intellectual property" anywhere in David's
position at all. He quite rightly separates the three obvious
stakeholders in any computer system, be it a desktop or a huge
data storage facility.

When you're dealing with a system that's primary function is
serving up reams of data (say a database), the access to that
data will involve someone running "code" (read: an application).
This access cannot be controlled solely by the maintainer of the
computer(s) and other equipment that make up the DB. Similarly,
isn't going to be the DBA, who's role is to maintain the data
contained in the DB, either. In this example, a user running
queries against that DB is exercising control and most certainly
has a "say in what code actually gets executed" as a result. I
don't think I need to point out that this user could even be
someone external to your organisation, but I will anyway...
> 
<Snip out Intellectual Property driven rant>

I'm not trying to flame or troll here. I just think that in
the world we live in now, where computers (and the CPUs they
contain) are "operated" by various stakeholders, it is a hard
sell to say that only one entity controls the resources in
question. As the "owner" of the CPU, you might be able to say
when it will be available (NO, I don't like you. Power off),
but this won't help the bottom line. Same thing with an the
folks assigned the role of "operator" - they're there to enable
the business, not impede it. Users, be they your own or the
customers your system is designed to serve, will always get
a say. The issue here, as I see it, is to properly govern how
the rights assigned.

Like it or not, we're all here to ultimately make the end users
happy. Besides, isn't security supposed to support and improved
your operations? Your approach would, IMHO, do the opposite...

Alex Arndt
CISSP, GCIA
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ