Full Disclosure mailing list archives
RE: Right-wing computer virus
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 08 Jul 2003 23:30:42 +1200
"Jason Bethune" <jbethune () town kentville ns ca> wrote:
As a newbie....to the list....I am just curious...do viruses not propose a security risk? I am not taking sides just asking a question so I can get proper information.
Viruses, Trojans, and most other forms of what is nowadays more loosely known as "malware" primarily pose an integrity risk, and availability, access and integrity are generally the three foundation stones of "computer security". Arguably, in a modestly well-designed computer system, integrity concerns reduce to "the HR problem" (i.e. how do you select, as employees, sufficiently honest and reliable folk). Unfortunately, most computer systems in operation today (and virtually all such "on the Internet") assume (quite incorrectly) that, at most, suitably defining discretionary access controls also resolves the integrity problem. In fact, these issues are orthogonal, or at least nowhere near as close to parallel as that practice suggests. As most systems are implemented with very little (in fact, usually _no_) system-administrative control over the code that runs on them, the integrity "problem" is, in fact, entirely ignored. (Further, the general ignorance of this and push toward the "convenience" of allowing the _user_ to decide what "new" code can or should be run drives a lot of ongoing code integrity management problems, including the problems posed by viruses and related malware...) So, the short answer to your question is "Yes, viruses are a security issue". The longer, and much more accurate, answer is that "as modern computer security practice and training tends to ignore the actual basis of and type of threat posed by viruses, viruses are not really addressed as a 'security problem' although they will usually be labelled as such". (Or, "avoid the marketing hype".) This may not seem like it helps much -- if not, try to make sense of Fred Cohen's early work as I am only repeating part of what he first said close to twenty years ago. If you do get a handle on Cohen's work you will understand what I am saying and be conceptually ahead of 95%+ of the "experts" out there (who will continue to not understand this). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Right-wing computer virus, (continued)
- Re: Right-wing computer virus security snot (Jul 07)
- Re: Right-wing computer virus madsaxon (Jul 07)
- Re: Right-wing computer virus Thor Larholm (Jul 07)
- Re: Right-wing computer virus IT (Jul 07)
- RE: Right-wing computer virus security snot (Jul 07)
- RE: Right-wing computer virus security snot (Jul 07)
- RE: Right-wing computer virus Schmehl, Paul L (Jul 07)
- RE: Right-wing computer virus Schmehl, Paul L (Jul 07)
- RE: Right-wing computer virus Richard M. Smith (Jul 07)
- RE: Right-wing computer virus Jason Bethune (Jul 07)
- RE: Right-wing computer virus Nick FitzGerald (Jul 08)
- RE: Right-wing computer virus SpeedM (Jul 07)
- RE: Right-wing computer virus segfault (Jul 07)
- Re: Right-wing computer virus security snot (Jul 07)