lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0MKz1m-1DAZFp3QJI-0002BA@mrelay.perfora.net>
From: derek at angelofsin.net (derek@...elofsin.net)
Subject: Re: Reuters: Microsoft to give holes info


On Sat, 12 Mar 2005 16:33:46 CST, "Valdis.Kletnieks@...edu" said:

============================
Critical infrastructure:  If it dies, things start breaking *very*
badly, very quickly.

If a PC directly related to managing calls in an E911 center dies, then
emergency calls don't get routed.  That's critical infrastructure.

-===snip a few example cases===-

Now tell me - what percent of government systems, if they were suddenly
and unexpectedly unplugged from the network, would result in a partial
or complete loss of network functionality?  Things like routers, mail
servers, Active Directory servers, and so on - *those* are "critical
infrastructure".
============================

I believe the argument here is over one simple factor, and I disagree
with you on this point.

Critical infrastructure refers to anything that takes down a lot of
other things when it collapses--you said this, and I agree completely.

However, in your argument you focus upon critical network infrastructure
as if it is the only critical infrastructure.  It is not.  There are
network components that are critical parts of judicial, private, or
corporate infrastructure.  These devices and their status may be of
little concern to the *network*, but they may be of great concern to
the *society* in which they are deployed.

For instance, if the entire IRS database (and all backups) went up in a
puff of smoke, the internet as a whole would likely experience only a
small disturbance.

This does not, however, mean that the IRS machines are not critical
infrastructure; it merely means that the IRS machines are not critical
*network* infrastructure.  If the IRS or the GAO collapsed, there would
be a pronounced disruption in governmental services (and hopefully
someone would find a way to keep things operating without funding until
a new accounting system could be deployed because things could get
quite messy... imagine the economic impact of thousands of federal
employees receiving no pay for weeks, and remember that this is just
one aspect of American activity that is directly affected by federal
financing).

To sum it all up, you narrowed the scope of critical infrastructure to
include only critical network infrastructure, and I do not see that
sufficient justification was given for doing so.

---
Derek Durski
derek@...elofsin.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ