| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri May 12 09:11:28 2006 From: schanulleke.29172787 at bloglines.com (schanulleke.29172787@...glines.com) Subject: MS06-019 - How long before this develops into a self propagating email worm n3td3v, You wrote: > > threat meters: > Seriously, threat meters are a waste of time and should be scraped by all. I am not a big fan of them either unless they are implemented well, meaning there are concrete reasons to go from one state to the other and each state has specific actions attached to them. All the net and IRL threat meters seem to lack these requirements. > Lets call it "paranoia meter" because its heresay, there is no > particuler threat. Just because a vulnerability is wild and not > patched, does not pose a threat. In terrorism a threat is specific > information that an attack is being planned. I have to disagree with you definition of a threat here. Threat is the likely hood of something happening if it is planned or not. When I go into certain neighbourhoods of certain places with a lot of gold jewelary showing the threat of being mugged it higher then when I don't show the gold. The consequeces of an event happening are also part of the threat. I have a high chance of taking coffe in the next 30 minutes, but the (negative) consequeces of that so low I do not considered it a threat. Likewise the public knowledge of a vulnerability increases the likelyhood if it being exploited. If the vulnerability has serious consequences (like the current exchange culnerability) the threat is again greater. > Although, the internet > threat meters are lamer than the main land threat meter (and even the > mainland threat meter is lame), because its completely based on > heresay, theres an unptached vulnerability, "this could happen, but we > don't have any intelligence whatsoever that something is being > programmed, but we thought we'd raise the internet threat level, you > know because theres nothing else happening". Yes, this is hearsay, like most other intelligence. If it was not hearsay it would again increase the likeliness and the threat. > Although, thats how it used to be. The "bad guys" have realised now > how much money these cyber agencies are making out of exploit virii, > that they've decided not to launch an attack, based on their threat > meters. The only time a real threat will come is when cyber agencies > are off-watch. Why would an attack be launched if governments and > businesses are expecting something to happen? The element of suprise > is as important as the terrorism which gives them the name terrorist. Thanks for that insight. I feel we might have to make the split between real hackers and the other 95%. > Welcome to the future. Times are changing. You can create a paranoia > amougst the community, but the new kids on the block aren't playing a > destructive game of tig between malicious users and security vendors. > The ball is in the malicious users court. Each time you raise your > threat level and nothing happens is eating away at the credibility of > security vendors, although the bad guys always will have a cool nack > of creeping up on everyone when they least expect it. True, yet the security vendors cannot afford to not make people aware of the current conditions. > Although, has it ever been the case "thanks to your threat meter I > wasn't hacked", or with mainland terrorism "thanks to the terror > meter, i spotted a terrorist and called the cops and managed to divert > a 9/11 style attack" Unless there are specific actions associated with a threat level it will nota ccomplisch anything. Schanulleke
Powered by blists - more mailing lists