Re: The CrateMaster2000 of Security.

[Robert Graham <robert_david_graham () yahoo com>]

--- Anton Chuvakin <anton () chuvakin org> wrote:
> So, I am curious, how is CVSS like a CrateMaster 2000?

You can't create definitive metrics for things like this. 

Down the road from road from Singapore is Kuala Lumpur (KL), home to the
Pentronas Towers. After their completion in 1998, they were hailed as the
"World Tallest Building" (taking the honor away from the Sears Tower in
Chicago). This designation depended upon changing the criteria for what it
meant to be the world's tallest. You'd think that such criteria would be pretty
simple and objective, just measure from top to bottom. In reality, it's complex
because you can't define where the bottom is, where the top is, or even whether
something is a building. After looking at the following diagram, you'll see why
many people still consider the Petronas towers quite a bit shorter than the
Sears Tower:

http://www.skyscraperpage.com/diagrams/?25384417

CVSS is the same way. It tries to reduce something to a single number (or set
of numbers) that is inherently complex. It gives the appearance of scientific
legitimacy to something that is as arbitrary as a game or movie review. ("I
give this vuln two thumbs up!!!").

The fundamental problem with cyber-security metrics is that the things we can
easily quantify are rarely interesting, and the things that are interesting are
hard to quantify. The pseudo-science of security metrics goes ahead and
quantifies them anyway.



 
____________________________________________________________________________________
It's here! Your new message!  
Get new email alerts with the free Yahoo! Toolbar.
http://tools.search.yahoo.com/toolbar/features/mail/
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave