Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sat, 17 Aug 2002 21:24:40 -0400
ark () eltex ru wrote:
I think of Project Mayhem as positive trend for IT security.
Yep. AIDS has been a tremendous boon for our understanding of viruses and immunity, too. Don't expect gratitude from its victims... ;)
It's time to realize that there are things that are unknown to white hat community and a security expert should _predict risks_ instead of using traditional these days model "there is a bug recently discovered,
Oh, COME OFF IT!! We've known THAT for EVER. It's only the desperate vendors and security newbies who subscribe to trivial penetrate-and-patch schemes. I've been known to advocate penetrate-and-patch-real-fast as an alternative to penetrate-and-patch-in-user-time but only out of frustrated desperation. Because the more obvious alternatives aren't happening due primarily to market pressures and cluelessness. Predicting risks is part of decent design - which is lacking in far too many cases. But it's the basic process of blocking whole categories of attacks, rather than nickle-and-diming your way to glory. For example, instead of worrying about individual buffer overruns in specific applications, the wise designer should be looking for tools and development practices to tackle that entire class of software flaws. Basically, it's the design decision behind "that which is not expressly permitted is prohibited" - one effective way of blocking web-based attacks is to block web (for example). We were recently discussing exactly that philosophy on this list in the context of adding SSL support to MTAs. For the record, when I raised that issue, I was NOT aware of the multiple vulnerabilities openSSL that were uncovered a week later. But it did bolster my argument. "Nyah, nyah, I told you so." There, I said it. So, please don't say "people need to get out of 'penetrate and patch'" when lots of us have been saying ALL ALONG that it's a bad idea. :) The fact that a huge number of people and organizations continue to do security design wrong is not because nobody knows how - unless you cound willful ignorance. mjr. --- Marcus J. Ranum - Computer and communications Security Expertise mjr () ranum com (http://www.ranum.com) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- concerning ~el8 / project mayhem R. DuFresne (Aug 16)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 16)
- Re: concerning ~el8 / project mayhem ark (Aug 16)
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem ark (Aug 16)
- <Possible follow-ups>
- Re: concerning ~el8 / project mayhem Marcus J. Ranum (Aug 17)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
- Re: concerning ~el8 / project mayhem Anton A. Chuvakin (Aug 21)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 21)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 21)
- Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
- Re: concerning ~el8 / project mayhem Anton Chuvakin (Aug 21)
- RE:Vulnerability Scanners ( was: concerning ~el8 / project mayhem ) Josh Welch (Aug 21)
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 21)
- Re: concerning ~el8 / project mayhem Anton J Aylward, CISSP (Aug 21)
- Re: concerning ~el8 / project mayhem Paul D. Robertson (Aug 17)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 16)