lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4BF0765C.4530.6D13018D@stuart.cyberdelix.net>
Date: Sun, 16 May 2010 23:49:00 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows' future (reprise)

Imagine you are in an enclosed space.  It starts to flood.  As the 
water level rises, the amount of oxygen you have available falls.  
Unless it stops flooding, eventually you will have no oxygen at all.

So, the CPU, RAM, diskspace, and network bandwidth of your machine, 
as well as limits imposed by integer math, are the enclosed space. 
Those specify the finite processing limits of your machine.  Malware 
is the flood.  Oxygen is what's left in your enclosed space/machine, 
once your malware defences have run.

Malware is flooding at 243% (+/- error).  This is consuming the 
oxygen in your machine.  You can enlarge your enclosed space, with 
hardware upgrades, but that's not stopping the flooding.

Eventually you will find it's not possible to upgrade the machine 
(usually a software dependency of some kind).  At this point the 
machine will run slower and slower.  Your alternatives will be to 
disconnect the machine from the internet, and partially/completely 
disable malware filters; or to replace the machine.

As you can see you're spending money on upgrades and replacements, 
and losing productivity and/or capabilities (eg. internet access).

Meanwhile, the malware is still flooding into your enclosed space.  
Every second that goes by, the rate of flooding increases.  Your boss 
is screaming at you for spending a zillion on hardware.  Your users 
are whinging because everything is running like a dog.  Your support 
staff are running around constantly fixing machines on which the AV 
has failed (yet again) to stop the latest 0-day variant.  Your 
company's customers are livid because you had to tell them you had a 
trojan on an accounts machine and their credit card data is now on 
the web.  Your wife has the hump because you're never home, except in 
a bad mood, your kids think you are a boarder, and the dog hates you 
because you never take it for walks anymore.

And you now need to go to your boss and ask for more money for more 
upgrades.

What are you gonna do?  Are you going to let your IT run like this 
forever?  Do you think your boss will like it when you ask him for 
more budget?

What is your long-term strategy for fixing this problem?

Stu

On 16 May 2010 at 19:08, Thor (Hammer of God) wrote:

From:	"Thor (Hammer of God)" <Thor@...merofgod.com>
To:	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Date sent:	Sun, 16 May 2010 19:08:26 +0000
Subject:	Re: [Full-disclosure] Windows' future (reprise)

> The error in your overall thesis is your failure to identify the difference between threat and risk.  You are interacting with Symantec's report of "x new threats" as if it actually means something, or more specifically, that these new threats somehow translate into some new level of risk.  They don't.
> 
> According to Stephen Hawking, there are new threats emerging based on the statistical probability of the existence of aliens.  Therefore, a "threat" exists where I may be struck in the head by a falling block of green alien poo, frozen in the atmosphere after being flushed out by a passing pan-galactic alien survey ship.  However, the actual *risk* of me being hit in the head while walking to a matinée of The Rocky Horror Picture Show doesn't dictate that I apply a small mixture of Purell and Teflon to my umbrella and fill my squirt gun with alien repellent.
> 
> The risk of me personally being struck by falling alien poo is *far* lower than the risk of any one of the almost 7 billion people on the planet being struck by falling alien poo.  You may be able to calculate the risk of my being poo'd in relation to any given human being poo'd, but no level of math will allow you to determine what my or any other person's individual chance of being poo'd is.
> 
> Your argument would call everyone to change the way they protect themselves from falling alien poo out of the mere existence of a threat without really qualifying the associated risk.  That does nothing for anyone, and would only cause a rise in the cost of umbrellas and squirt guns and would probably result in the theater putting the kibosh on Rock Horror completely and charging people to watch Born Free.  (Insert clever association of "Born Free" with "free" open source products here.  See what I did there?)
> 
> Further, the basis of this "threat" is that you would actually have to trust what Stephen Hawking is saying in the first place.  In his case, there really isn't any way to know that he's the one saying it, is there?  For all we know, the ghost of Carl Sagan could have hacked into his computer and has made Mr. Hawking's requests to have his Depends changed translated into "run for your lives, the aliens are coming, the aliens are coming"  when his computer talks.
> 
> My point is that you are taking threat statistics from Symantec 
that don't mean anything on their own, as there is no definition of 
how those threats would apply to any given system, and directly 
converting them into some global level of risk - and you are doing so 
to such extremes that you actually conclude that the solution is to 
do away with Microsoft products based on some unproven and imagined 
postulate that closed source is somehow at the core of the issue 
while at the same time admitting you don't know anything about the 
platform.   The fact that you are actually using Windows and programs 
written with Visual Studio out of convenience to you critically 
damages your argument.  If you as the author of this idea refuse to 
migrate from Windows or applications written with Windows development 
products and frameworks just because it is *not convenient* for you, 
how could you possibly expect anyone supporting any infrastructure of 
consequence to take your advice or even consider your ideas as 
anything other than hysteria when they would have to engage in 
unfathomable expense, effort and time to create a total and complete 
paradigm change in their business simply to try to defend against 
being hit by falling alien poo?
> 
> t


---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ