Full Disclosure mailing list archives
Re: Re[6]: Response to comments on Security and Obscurity
From: James Tucker <jftucker () gmail com>
Date: Thu, 2 Sep 2004 16:01:19 +0100
This is my last post on this conversation. As I am now finding it hard to be reasonable in my responses. On Thu, 2 Sep 2004 17:41:39 +0400, 3APA3A <3apa3a () security nnov ru> wrote:
Security policy is never our of date because it's reviewed on regular basis. It's your information about available solution that is out of date.
Solutions being available and common implementations are two very different things. I would love to spend $5M a year on security, but the company does not make that much profit.
First, you constantly mess virii with worms and trojans. OK, lets think as you said "malware". If malware is out of date or not depends on protection method you use against it. If you use antivirus - OK. You're protected against known viruses and may be some future modifications of known viruses. This is very poor protection. A good protection is creating sandboxes on application, OS or hardware level. For example in a very simple case user can only run a signed application from allowed list most virii become out of date.
This is confusing to me. The meaning of "out of date" is something which no longer applies due to age. Restricting runnable software to a highly veto'd controllable list does not make any virus out of date. There are a great many practical reasons and scenarios where this cannot be done. There is a point at which you will close down the system so tight that the users can no longer acheive all their work with the systems provided to them. The chain of command will then demand that some things become more open again. There is no perfect solution at this time, and the best solution for a given scenario is one which fits that scenario. Please stop giving extremist examples, they are poor in the same way that an anology can be poor, it does not cover all the bases.
In fact, a problem of virii is one of the largest and most expensive hoaxes. Antiviral program gives no protection. You can treat it as a kind of auditing tool which can alert you in a case of poor administration (you must sack your administrator if you catch virii on your internal network) and filter some junk mail on your mail server, like SPAM filter does.
I do not agree with this at all. The current invasiveness of a large number of internet viruses is such that without anti-virus applications and updated definitions, on a larger scale network no administrator could filter all that data by hand. If you think that a good system administrator can completely erradicate the possibility of a virus infection then you have a screw loose. There is no desktop solution currently available which is secure enough to offer this dream scenario. To suggest so is once again contradictory to good security principles. You should never assume you are safe. With this attitude it is not unlikely that a network which you administer is in fact currently under attack.
I have different opinions on this question. I do not read this discussion because I know answer, even for the case there is no network protocol bound to port and no software service listening on it. I can point you to real life exploit with executing code directly from the port (of cause, if you want to learn this dirty exploitation things). See "Bonus" section in http://www.security.nnov.ru/search/document.asp?docid=6145
That would be an exploit of a piece of software, which is running a protocol on that port. The relevant line being: "IndigoPerl reads Perl script from COM1: port." Once again you have made an incorrect assumption here. In fact your statement "I know answer, even for the case there is no network protocol bound to port and no software service listening on it" is completely false both for the real scenario and for the case you provided yourself. Moreover the exploit you "knew the answer to" had no bounds or meaning in the domain described to apply to the question asked in that discussion. What is the vector for incoming data on a port which has no applications reading its buffers?
It means spending first 6 months without leaving a room for him, because he will not be able to leave the room without taking out his smart card. As far as I know human organism resources, you will need new CEO after one week if there is no water supply in the room. It must be really good test for CEO's IQ.
So you want a fully integrated smart card authentication and physical security system running from the same cards. Well, now I just feel upset. Are you aware of the reason why TCP/IP was made to be a decentralised network? I suppose I should suggest to the firm in my example that they rebuild their entire physical infrastructure to use smart cards, this would also have to be linked in with the firesystem, and default to open during a fire (by law in most countries), while I'm at it I will request that they replace all of their desktops at the same time (so that we get spangly new readers there too), meanwhile they will have to move their entire office somewhere else. Thanks for the advice, the shareholders didn't have the IT guy fired for that, they actively hung him right there in the board room.
And to pay another guard to look after first guard, because he can also leave for launch. More people have access to the system, less secure system is. Today it's human to become weakest chain in security.
How pedantic of you, thanks. There is no such thing as a "weak chain" in security. The are places in a system with no holes and places with. If I can get in and run code the game is up; end of story. Any breach is as bad as the next. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Security & Obscurity: First-time attacks and lawyer jokes, (continued)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Honza Vlach (Sep 03)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Dave Aitel (Sep 02)
- Re: Security & Obscurity: First-time attacks and lawyer jokes Mr. Rufus Faloofus (Sep 02)
- Re[2]: Response to comments on Security and Obscurity 3APA3A (Sep 01)
- Re: Re[2]: Response to comments on Security and Obscurity James Tucker (Sep 01)
- Re: Response to comments on Security and Obscurity Barry Fitzgerald (Sep 01)
- Re: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[4]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[4]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[6]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Re[6]: Response to comments on Security and Obscurity James Tucker (Sep 02)
- Re[8]: Response to comments on Security and Obscurity 3APA3A (Sep 02)
- Re: Response to comments on Security and Obscurity gadgeteer (Sep 01)
- [OT] Re: Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 02)
- Re: [OT] Re: Re: New paper on Security and Obscurity Stormwalker (Sep 02)
- Re: [OT] Re: Re: New paper on Security and Obscurity Barry Fitzgerald (Sep 03)