lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Oct 2007 15:29:10 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: The Death of Defence in Depth ? - An
	invitation to Hack.lu

Dear Felix,
While I love your comment and really welcome constructive criticism,
I actually think you should keep the focus on the Fox News style
question marks. Nowhere is being said that this is the end of
Defence in Depth (as a paradigm), we ask the question.

Then again you seem to be judging about something you haven't seen
nor read. Is this because I ask the Fox News style questions and you
give Fox News style comments ?

FFL> the title is misleading at best.
While I have the upmost respect of your person, in this particular
case, I am sorry dude, but how can you tell ? Have you seen the
presentation? Have you heard the conclusion? I don't think so?
Though you are more than welcome to see it :)

FFL> Defense in Depth has nothing to do
FFL> with security software.
In a certain sense it has. Defence in depth is a Paradigm as not only
applied to how you design software but also how you implement solutions.
The talk is about reality, not an RFC or CISSP Definition.

FYI, while certainly not a reference, here is what Wikipedia has to say:
"Defense in Depth is an Information Assurance (IA) strategy where
multiple layers of defense are placed through out an Information
Technology (IT) system and addresses personnel, technology and
operations for the duration of the system's lifecycle."
http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)

FFL> To the contrary. The paradigm describes an
FFL> approach where you assume that invidual (even multiple) elements of your
FFL> defense fall, in the worst possible way (which could be code
FFL> execution).
Thank you for the definition, though I must let you know I am fully
aware of it. (I miss an mandatory RFC link) The presentation will
talk of exactly that "...assume.. multiple elements of your defense fall"

What currently is being done in the industry is to ADD more layers of
defence to protect against one failing, this is being done by adding
one parsing engine after the other. Again nobody said Defence in Depth
is wrong in itself, it's just the way the Software Industry has led
companies to implement it. _This_ is the point.

Don't get me wrong, defence in depth as general Paradigm is perfectly
fine :) But you would have had to listen to the talk to draw that
conclusion, this is what I find most irrating about your comment. And
it raises a big question mark as to your motivation for this public
comment.

FFL> What you are describing is people adding security software
FFL> _instead_ of applying a thorough defense in depth design.
I am describing nothing Felix, you are judging about a Presentation
_you have not even seen_. How dare you !!! ==))))

FFL> Your presentation title suggests that one of the very few paradigms
FFL> that actually promises long term security benefits does not work.
Felix I am suggesting nothing, your are taking a friendly invitation
as reason to bitch about how you THINK the talk will be given, though
you have no clue.

FFL> Wrong. I suggest you find a better title.
Zu befehl ! =)

The title fits the presentation perfectly, I find it rather arrogant
and bloated to comment in this way and fashion on a public mailing
list. I welcome any other comment to my personal Inbox, Phone, Fax
whatever, I will ignore any other comment by public means before
the actually talk was given and there is actual substance to start
a discussion. I would have loved to receive a question before you
shoot.

-- 
http://secdev.zoller.lu
Thierry Zoller
Fingerprint : 5D84 BFDC CD36 A951 2C45  2E57 28B3 75DD 0AC6 F1C7

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ