[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080805235511.GC8224@mit.edu>
Date: Tue, 5 Aug 2008 19:55:12 -0400
From: Theodore Tso <tytso@....edu>
To: "Press, Jonathan" <Jonathan.Press@...com>
Cc: Greg KH <greg@...ah.com>, Arjan van de Ven <arjan@...radead.org>,
Eric Paris <eparis@...hat.com>, linux-kernel@...r.kernel.org,
malware-list@...ts.printk.net,
linux-security-module@...r.kernel.org
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro
toalinuxinterfaceforonaccess scanning
On Tue, Aug 05, 2008 at 06:12:34PM -0400, Press, Jonathan wrote:
>
> I don't think I'm stupid, but frankly I don't understand the point
> of the questions being asked in the last three responses to my
> statement. I don't know why they are relevant, and I don't know how
> to answer them in a framework that we can all understand at the same
> time. What is my threat model? Naively stated, it is that there is
> a file on a machine that might do damage, either there or elsewhere,
> and I want to find it and get rid of it in the most efficient way.
> I am not defining the nature of the damage or the mechanism.
This is actually quite shocking to me. You don't know how to define
the threat model? And you call yourself in the security business?
Read some books or essays by Bruce Schneier. A good one might be his
recent book, "Beyond Fear: Thinking Sensibly About Security In An
Uncertain World".
The naive refusal to think about threat models is why we have to
submit to really insane, useless, "security theater" every time we get
on an Airplane and have to take off our shoes and throw our bottleed
water into a huge heap in front of the security line. (If they really
thought the water bottles could contain explosives, why leave them in
a huge pile in front of the TSA employees. :-)
If the goal is to get make we are proof against malware, we need to be
very clear about the whys and wherefores about how the file might have
gotten there. And if you are going to be serving that file a million
times a day, does it really make sense to block the open a million
times a day, or do you make sure that you notice when it gets
corrupted in the first place?
And security is not an absolute. Just as the terrorists win if it can
induce the White House to shred the constitution and force us all to
live in a constant state of fear, it is also pointless to induce
people to install software that horrifically slows down their server
so badly that you can't get anything done.
If people in the AV industry don't know how to think about threat
models, it says a lot about their competence as security engineers.
And I say this as someone who was team lead of Kerberos at MIT, and
was the chair of the IP Security working group at the IETF (the
standards body for the Internet), and who has served on the Security
Area Directorate (alongside Bruce Schneier) at the IETF.
- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists