Dailydave mailing list archives
Re: The CrateMaster2000 of Security.
From: Robert Graham <robert_david_graham () yahoo com>
Date: Fri, 26 Jan 2007 15:36:19 -0800 (PST)
--- Anton Chuvakin <anton () chuvakin org> wrote:
So, I am curious, how is CVSS like a CrateMaster 2000?
You can't create definitive metrics for things like this. Down the road from road from Singapore is Kuala Lumpur (KL), home to the Pentronas Towers. After their completion in 1998, they were hailed as the "World Tallest Building" (taking the honor away from the Sears Tower in Chicago). This designation depended upon changing the criteria for what it meant to be the world's tallest. You'd think that such criteria would be pretty simple and objective, just measure from top to bottom. In reality, it's complex because you can't define where the bottom is, where the top is, or even whether something is a building. After looking at the following diagram, you'll see why many people still consider the Petronas towers quite a bit shorter than the Sears Tower: http://www.skyscraperpage.com/diagrams/?25384417 CVSS is the same way. It tries to reduce something to a single number (or set of numbers) that is inherently complex. It gives the appearance of scientific legitimacy to something that is as arbitrary as a game or movie review. ("I give this vuln two thumbs up!!!"). The fundamental problem with cyber-security metrics is that the things we can easily quantify are rarely interesting, and the things that are interesting are hard to quantify. The pseudo-science of security metrics goes ahead and quantifies them anyway. ____________________________________________________________________________________ It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/ _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The CrateMaster2000 of Security. Dave Aitel (Jan 25)
- Re: The CrateMaster2000 of Security. Anton Chuvakin (Jan 25)
- Re: The CrateMaster2000 of Security. andre (Jan 26)
- Re: The CrateMaster2000 of Security. Robert Graham (Jan 26)
- Re: The CrateMaster2000 of Security. Ron Gula (Jan 27)
- <Possible follow-ups>
- FW: The CrateMaster2000 of Security. Des Ward (Jan 28)
- Re: FW: The CrateMaster2000 of Security. Florian Weimer (Jan 30)
- Re: FW: The CrateMaster2000 of Security. Des Ward (Jan 30)
- Re: The CrateMaster2000 of Security. Anton Chuvakin (Jan 25)