Firewall Wizards mailing list archives
RE: Transitive Trust: 40 million credit cards hack'd
From: "Brian Loe" <knobdy () stjoelive com>
Date: Sun, 19 Jun 2005 10:44:05 -0500
trust n. 1) Firm reliance on the integrity, ability, or character of a person or thing. 2) Custody; care. 3) Something committed into the care of another; charge. trust.wor.thy adj. 1) Warranting trust; reliable. This to avoid arguments on semantics. Reading these it seems that "trust" is an absolute and "trustworthiness" is subjective. Applying that to some of the systems I have been charged with administering (and all thought on this subject is new too me - how unfortunate, eh?), they considered all systems required to talk to it as trustworthy. Various systems REQUIRED a certain level of access to do the job, so it was given. This trustworthiness is static. If something changed on the trustworthy system, the trusting system has no way of knowing about it and therefore it never re-evaluated the trustworthiness - then again, it couldn't because the decision wasn't for the system to make, but the administrator, and the administrator's bosses. The level of trust would not change unless and if the trustworthy system was found to be compromised, and then it would be too late for the trusting system as well because each step required human input/output (with all of the intangibles involved, like ego and laziness). Aren't there already models out there that fix this? That place a stage of authentication and verification between each, or every other, transaction? (I'm thinking authentication is very different from verification. Authentication = I'm the system I say I am; Verification = my code is the code it's supposed to be. As sort of discussed in Marcus' reference.) I'm just trying to understand all of this better. <snip>
Here I get to channel for Peter (since he doesn't follow this list) Do you mean Trust or Trustworthiness? Trust is transitive. Trustworthiness is altogether a different proposition.
<snip>
There has recently been some theoretical work on trust algebras (see http://security.polito.it/cms2003/Program/Roessler13/1Roessler.pdf orhttp://security.dstc.edu.au/staff/ajosang/papers/algcert.pdf for example) but little of it has filtered into actual practice.Cool.. Reading now... Looks like their perspective is that Trust and Trustworthiness are a matter of degree. I think that's a terminology issue, but I'm kinda sticking with "Trust" as a platonic ideal - the absolute, uber-Trust 100% Good Stuff. Everything else is "acceptable risk" Y'know it occurs to me that one metric by which we might be able to tell that "computer science" and computer security have matured somewhat as a field is the eventual acceptance of a body of classical knowledge that a practitioner must be familiar with, in order to avoid being laughed at. Other than Denning and Cheswick/Bellovin/Rubin and maybe Schneier I'm coming up dry. Hmmm...
<snip> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Host based vs network firewall in datacenter Zurek, Patrick (Jun 10)
- Re: Host based vs network firewall in datacenter Devdas Bhagat (Jun 13)
- Re: Host based vs network firewall in datacenter Alin-Adrian Anton (Jun 17)
- Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 18)
- Re: Transitive Trust: 40 million credit cards hack'd Vin McLellan (Jun 18)
- Re: Transitive Trust: 40 million credit cards hack'd George Capehart (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Bill Royds (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 18)
- RE: Transitive Trust: 40 million credit cards hack'd Brian Loe (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd David Lang (Jun 19)
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd Darren Reed (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- Re: Host based vs network firewall in datacenter Alin-Adrian Anton (Jun 17)
- Re: Host based vs network firewall in datacenter Devdas Bhagat (Jun 13)
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 19)
- Re: Transitive Trust: 40 million credit cards hack'd ArkanoiD (Jun 29)
- Re: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 30)
- RE: Transitive Trust: 40 million credit cards hack'd Paul Melson (Jun 21)
- Re: Host based vs network firewall in datacenter sin (Jun 30)