lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 5 Aug 2008 19:55:12 -0400
From:	Theodore Tso <tytso@....edu>
To:	"Press, Jonathan" <Jonathan.Press@...com>
Cc:	Greg KH <greg@...ah.com>, Arjan van de Ven <arjan@...radead.org>,
	Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org,
	malware-list@...ts.printk.net,
	linux-security-module@...r.kernel.org
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro
	toalinuxinterfaceforonaccess scanning

On Tue, Aug 05, 2008 at 06:12:34PM -0400, Press, Jonathan wrote:
>  
> I don't think I'm stupid, but frankly I don't understand the point
> of the questions being asked in the last three responses to my
> statement.  I don't know why they are relevant, and I don't know how
> to answer them in a framework that we can all understand at the same
> time.  What is my threat model?  Naively stated, it is that there is
> a file on a machine that might do damage, either there or elsewhere,
> and I want to find it and get rid of it in the most efficient way.
> I am not defining the nature of the damage or the mechanism.

This is actually quite shocking to me.  You don't know how to define
the threat model?  And you call yourself in the security business?
Read some books or essays by Bruce Schneier.  A good one might be his
recent book, "Beyond Fear: Thinking Sensibly About Security In An
Uncertain World".

The naive refusal to think about threat models is why we have to
submit to really insane, useless, "security theater" every time we get
on an Airplane and have to take off our shoes and throw our bottleed
water into a huge heap in front of the security line.  (If they really
thought the water bottles could contain explosives, why leave them in
a huge pile in front of the TSA employees.  :-)

If the goal is to get make we are proof against malware, we need to be
very clear about the whys and wherefores about how the file might have
gotten there.  And if you are going to be serving that file a million
times a day, does it really make sense to block the open a million
times a day, or do you make sure that you notice when it gets
corrupted in the first place?

And security is not an absolute.  Just as the terrorists win if it can
induce the White House to shred the constitution and force us all to
live in a constant state of fear, it is also pointless to induce
people to install software that horrifically slows down their server
so badly that you can't get anything done.

If people in the AV industry don't know how to think about threat
models, it says a lot about their competence as security engineers.
And I say this as someone who was team lead of Kerberos at MIT, and
was the chair of the IP Security working group at the IETF (the
standards body for the Internet), and who has served on the Security
Area Directorate (alongside Bruce Schneier) at the IETF.

     		 	    	  	       	   - Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ