Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: concerning ~el8 / project mayhem

From: Crispin Cowan <crispin () wirex com>
Date: Fri, 23 Aug 2002 15:47:45 -0700
Iván Arce wrote:


From: Marcus J. Ranum <core.lists.firewall-wizards () core-sdi com>


willing to fix it. (Oddly, I suspect bullet-proof vest makers don't
have that kind of problem with thier customers...)  So you have to

Oddly, I suspect you are wrong
Yes, I suspect that bullet-proof vests are actually TESTED at some
point in their production process and so are cars and weapons and many
other things.
I was about to call Marcus out on that point too, until I thought about it very, very carefully.
MJR is NOT claiming that vests do not need to be tested. Rather, he is claiming that vest vendors do not need to demonstrate that naked people are vulnerable to gunfire.
Similarly, MJR claims that a security consultant does not need to demonstrate an actual vulnerability in order to claim there is a valid risk. 


Anyway, I always thought that resorting to analogies in the IS field is
pointless
as each discipline has its own problem scenario and follow quite different
paradigms.
Yes, reasoning by analogy is weak: in theory, theory is just like practice, but in practice, it isn't. More directly, the property being proposed needs to be shown to be present in both the analogy and the subject at hand, or the analogy provides no evidence. However, I submit that it is not credible to accuse MJR of being inpractical. 

But to the matter at hand: it is a grey area, and I can see both sides.

   * On one hand, there are clear cases where a risk is present, but an
     actual vulnerability may not be. "Look", says the consultant, "you
     have port 21 open and you're running WU-FTPD, yet you have no real
     need for it. That is a risk and should be closed." The consultant
     does not need to have a handy sploit for the installed version of
     WU-FTPD to be right on this count.
   * On the other hand, the customer does not have lots of security
     risk analysis expertise, and may have no idea what the consultant
     is talking about, and have to take things on faith. If the
     customer is expected to believe consultant advice without a
     demonstration, then they are at risk for "Look, you have port 25
     open on your mail server, and therefore need to buy my $25,000
     Port25Guard."
So caveat emptor applies, but the lack of a live exploit does not mean there is no risk. 

Crispin

--
Crispin Cowan, Ph.D.
Chief Scientist, WireX                      http://wirex.com/~crispin/
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: