lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20071010104054.43693f70.fx@recurity-labs.com>
Date: Wed, 10 Oct 2007 10:40:54 +0200
From: "Felix 'FX' Lindner" <fx@...urity-labs.com>
To: Thierry Zoller <Thierry@...ler.lu>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	news@...uriteam.org
Subject: Re: [Full-disclosure] The Death of Defence in Depth ? - An
 invitation to Hack.lu

Thierry,

On Tue, 9 Oct 2007 21:14:30 +0200 Thierry Zoller <Thierry@...ler.lu>
wrote:
> The Death of Defence in Depth ? - A  rather  bold  question  that
> is; is this another overhyped bloated Presentation ? Or maybe  do
> we really have to rethink the way we implement Defence  in  Depth
> on our networks ? This talk will hopefully give you the  answers,
> if  not  at  least  the  correct  questions  to  ask  yourselves.
> 
> Over the last year [2], n.runs AG  investigated  Software that is
> commonly being used in an  Defence  in  Depth  approach  and  was
> quite alarmed. The number of Bugs and Design  problems  we  found
> were so tremendous that we had problems dealing  with  the  shear
> amount of Vendor coordination and notification emails. 

the title is misleading at best. Defense in Depth has nothing to do
with security software. To the contrary. The paradigm describes an
approach where you assume that invidual (even multiple) elements of your
defense fall, in the worst possible way (which could be code
execution). What you are describing is people adding security software
_instead_ of applying a thorough defense in depth design.

Your presentation title suggests that one of the very few paradigms
that actually promises long term security benefits does not work.
Wrong. I suggest you find a better title.

cheers
FX

-- 
Recurity Labs GmbH           | Felix 'FX' Lindner 
http://www.recurity-labs.com | fx@...urity-labs.com 
Wrangelstrasse 4             | Fon: +49 30 69539993-0
10997 Berlin                 | PGP: A740 DE51 9891 19DF 0D05  
Germany                      |      13B3 1759 C388 C92D 6BBB
HRB 105213 B, Amtsgericht Charlottenburg, GF Felix Lindner

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ