Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: Crispin Cowan <crispin () wirex com>
Date: Fri, 23 Aug 2002 15:47:45 -0700
Iván Arce wrote:
I was about to call Marcus out on that point too, until I thought about it very, very carefully.From: Marcus J. Ranum <core.lists.firewall-wizards () core-sdi com>willing to fix it. (Oddly, I suspect bullet-proof vest makers don't have that kind of problem with thier customers...) So you have toOddly, I suspect you are wrong Yes, I suspect that bullet-proof vests are actually TESTED at some point in their production process and so are cars and weapons and many other things.
MJR is NOT claiming that vests do not need to be tested. Rather, he is claiming that vest vendors do not need to demonstrate that naked people are vulnerable to gunfire.
Similarly, MJR claims that a security consultant does not need to demonstrate an actual vulnerability in order to claim there is a valid risk.
Yes, reasoning by analogy is weak: in theory, theory is just like practice, but in practice, it isn't. More directly, the property being proposed needs to be shown to be present in both the analogy and the subject at hand, or the analogy provides no evidence. However, I submit that it is not credible to accuse MJR of being inpractical.Anyway, I always thought that resorting to analogies in the IS field is pointless as each discipline has its own problem scenario and follow quite different paradigms.
But to the matter at hand: it is a grey area, and I can see both sides. * On one hand, there are clear cases where a risk is present, but an actual vulnerability may not be. "Look", says the consultant, "you have port 21 open and you're running WU-FTPD, yet you have no real need for it. That is a risk and should be closed." The consultant does not need to have a handy sploit for the installed version of WU-FTPD to be right on this count. * On the other hand, the customer does not have lots of security risk analysis expertise, and may have no idea what the consultant is talking about, and have to take things on faith. If the customer is expected to believe consultant advice without a demonstration, then they are at risk for "Look, you have port 25 open on your mail server, and therefore need to buy my $25,000 Port25Guard."So caveat emptor applies, but the lack of a live exploit does not mean there is no risk.
Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: concerning ~el8 / project mayhem, (continued)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 18)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 19)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Tina Bird (Aug 19)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 19)
- Re: concerning ~el8 / project mayhem Nate Campi (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Crispin Cowan (Aug 23)