lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 10 Oct 2007 17:16:30 +0200
From: Sergio Alvarez <sergio.alvarez@...ns.com>
To: Thierry Zoller <Thierry@...ler.lu>,  fx@...urity-labs.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: Re: The Death of Defence in Depth ? -
 An	invitation to Hack.lu

Hi FX,

Those were Thierry's words, *not* mine. I want to make this clear so
that there are no misunderstandings.
The fact is that you is 100% correct, our talk will be about 'Defeating
Defenses', specially focusing on border/perimeter and intranet defenses.
We won't talk about defeating any defense in depth mechanisms (ie: like
bypassing any exploitation preventions mechanisms).

Cheers,
  Sergio

Thierry Zoller wrote:
> Dear Felix,
> While I love your comment and really welcome constructive criticism,
> I actually think you should keep the focus on the Fox News style
> question marks. Nowhere is being said that this is the end of
> Defence in Depth (as a paradigm), we ask the question.
> 
> Then again you seem to be judging about something you haven't seen
> nor read. Is this because I ask the Fox News style questions and you
> give Fox News style comments ?
> 
> FFL> the title is misleading at best.
> While I have the upmost respect of your person, in this particular
> case, I am sorry dude, but how can you tell ? Have you seen the
> presentation? Have you heard the conclusion? I don't think so?
> Though you are more than welcome to see it :)
> 
> FFL> Defense in Depth has nothing to do
> FFL> with security software.
> In a certain sense it has. Defence in depth is a Paradigm as not only
> applied to how you design software but also how you implement solutions.
> The talk is about reality, not an RFC or CISSP Definition.
> 
> FYI, while certainly not a reference, here is what Wikipedia has to say:
> "Defense in Depth is an Information Assurance (IA) strategy where
> multiple layers of defense are placed through out an Information
> Technology (IT) system and addresses personnel, technology and
> operations for the duration of the system's lifecycle."
> http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)
> 
> FFL> To the contrary. The paradigm describes an
> FFL> approach where you assume that invidual (even multiple) elements of your
> FFL> defense fall, in the worst possible way (which could be code
> FFL> execution).
> Thank you for the definition, though I must let you know I am fully
> aware of it. (I miss an mandatory RFC link) The presentation will
> talk of exactly that "...assume.. multiple elements of your defense fall"
> 
> What currently is being done in the industry is to ADD more layers of
> defence to protect against one failing, this is being done by adding
> one parsing engine after the other. Again nobody said Defence in Depth
> is wrong in itself, it's just the way the Software Industry has led
> companies to implement it. _This_ is the point.
> 
> Don't get me wrong, defence in depth as general Paradigm is perfectly
> fine :) But you would have had to listen to the talk to draw that
> conclusion, this is what I find most irrating about your comment. And
> it raises a big question mark as to your motivation for this public
> comment.
> 
> FFL> What you are describing is people adding security software
> FFL> _instead_ of applying a thorough defense in depth design.
> I am describing nothing Felix, you are judging about a Presentation
> _you have not even seen_. How dare you !!! ==))))
> 
> FFL> Your presentation title suggests that one of the very few paradigms
> FFL> that actually promises long term security benefits does not work.
> Felix I am suggesting nothing, your are taking a friendly invitation
> as reason to bitch about how you THINK the talk will be given, though
> you have no clue.
> 
> FFL> Wrong. I suggest you find a better title.
> Zu befehl ! =)
> 
> The title fits the presentation perfectly, I find it rather arrogant
> and bloated to comment in this way and fashion on a public mailing
> list. I welcome any other comment to my personal Inbox, Phone, Fax
> whatever, I will ignore any other comment by public means before
> the actually talk was given and there is actual substance to start
> a discussion. I would have loved to receive a question before you
> shoot.
> 

-- 

"If we knew what it was we were doing, it would not be called research,
would it?", Albert Einstein

====================================================================
Sergio Alvarez
Director of Research
Security

n.runs AG
Nassauer Strasse 60
D-61440 Oberursel
Germany

phone:  +49 6171 699 538
fax:    +49 6171 699 199
email:  sergio.alvarez@...ns.com
http://www.nruns.com

Key fingerprint = B1E1 C0F2 89E6 575D 32DB  A871 AAAA E025 B237 9274
Key ID = B2379274

security - network - technology - consulting - herstellerunabhaengig

Registergericht Bad Homburg v.d. Hoehe, HRB 10399

Aufsichtsrat:
Horst Marscholek (Vorsitzender)
Ulrich Caspar
Alexander Kersting

Vorstand:
Andreas Bruns (Vorsitzender)
Donald Lee


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ