lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <006c01c80d22$299ad040$7cd070c0$@us>
Date: Sat, 13 Oct 2007 00:49:03 +0200
From: "Eric Rachner" <eric@...hner.us>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Re: The Death of Defence in Depth ? - An
	invitation to Hack.lu

$0.02:
 
"Defense in Depth" means *reducing* attackable surface, *reducing* execution
privilege, *reducing* complexity, etc.
 
If you guys are criticizing the ongoing trend towards enterprise-wide AV
monitoring and routing all network traffic through SSL-terminating
deep-packet-inspecting content-filtering 1U rack mount appliances, well,
that's more like the exact opposite.  That's more surface area, more
complexity, and more privilege. 
 
I'd call it "Defense in Breadth."
 
- Eric
 
Thierry Zoller wrote:
> Dear Felix,
> While I love your comment and really welcome constructive criticism,
> I actually think you should keep the focus on the Fox News style
> question marks. Nowhere is being said that this is the end of
> Defence in Depth (as a paradigm), we ask the question.
> 
> Then again you seem to be judging about something you haven't seen
> nor read. Is this because I ask the Fox News style questions and you
> give Fox News style comments ?
> 
> FFL> the title is misleading at best.
> While I have the upmost respect of your person, in this particular
> case, I am sorry dude, but how can you tell ? Have you seen the
> presentation? Have you heard the conclusion? I don't think so?
> Though you are more than welcome to see it :)
> 
> FFL> Defense in Depth has nothing to do
> FFL> with security software.
> In a certain sense it has. Defence in depth is a Paradigm as not only
> applied to how you design software but also how you implement solutions.
> The talk is about reality, not an RFC or CISSP Definition.
> 
> FYI, while certainly not a reference, here is what Wikipedia has to say:
> "Defense in Depth is an Information Assurance (IA) strategy where
> multiple layers of defense are placed through out an Information
> Technology (IT) system and addresses personnel, technology and
> operations for the duration of the system's lifecycle."
> http://en.wikipedia.org/wiki/Defense_in_Depth_(computing)
> 
> FFL> To the contrary. The paradigm describes an
> FFL> approach where you assume that invidual (even multiple) elements of
your
> FFL> defense fall, in the worst possible way (which could be code
> FFL> execution).
> Thank you for the definition, though I must let you know I am fully
> aware of it. (I miss an mandatory RFC link) The presentation will
> talk of exactly that "...assume.. multiple elements of your defense fall"
> 
> What currently is being done in the industry is to ADD more layers of
> defence to protect against one failing, this is being done by adding
> one parsing engine after the other. Again nobody said Defence in Depth
> is wrong in itself, it's just the way the Software Industry has led
> companies to implement it. _This_ is the point.
> 
> Don't get me wrong, defence in depth as general Paradigm is perfectly
> fine :) But you would have had to listen to the talk to draw that
> conclusion, this is what I find most irrating about your comment. And
> it raises a big question mark as to your motivation for this public
> comment.
> 
> FFL> What you are describing is people adding security software
> FFL> _instead_ of applying a thorough defense in depth design.
> I am describing nothing Felix, you are judging about a Presentation
> _you have not even seen_. How dare you !!! ==))))
> 
> FFL> Your presentation title suggests that one of the very few paradigms
> FFL> that actually promises long term security benefits does not work.
> Felix I am suggesting nothing, your are taking a friendly invitation
> as reason to bitch about how you THINK the talk will be given, though
> you have no clue.
> 
> FFL> Wrong. I suggest you find a better title.
> Zu befehl ! =)
> 
> The title fits the presentation perfectly, I find it rather arrogant
> and bloated to comment in this way and fashion on a public mailing
> list. I welcome any other comment to my personal Inbox, Phone, Fax
> whatever, I will ignore any other comment by public means before
> the actually talk was given and there is actual substance to start
> a discussion. I would have loved to receive a question before you
> shoot.
> 
 
-- 
 
"If we knew what it was we were doing, it would not be called research,
would it?", Albert Einstein
 

 


Download attachment "winmail.dat" of type "application/ms-tnef" (9722 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ