Re: Re[6]: Response to comments on Security and Obscurity

[James Tucker <jftucker () gmail com>]

This is my last post on this conversation. As I am now finding it hard
to be reasonable in my responses.

On Thu, 2 Sep 2004 17:41:39 +0400, 3APA3A <3apa3a () security nnov ru> wrote:
> Security  policy  is  never our of date because it's reviewed on regular
> basis.  It's  your  information  about available solution that is out of
> date.

Solutions being available and common implementations are two very
different things. I would love to spend $5M a year on security, but
the company does not make that much profit.

> First,  you constantly mess virii with worms and trojans. OK, lets think
> as  you  said  "malware".  If  malware  is out of date or not depends on
> protection  method you use against it. If you use antivirus - OK. You're
> protected  against known viruses and may be some future modifications of
> known  viruses.  This  is  very  poor  protection.  A good protection is
> creating  sandboxes on application, OS or hardware level. For example in
> a  very  simple case user can only run a signed application from allowed
> list most virii become out of date.

This is confusing to me. The meaning of "out of date" is something
which no longer applies due to age. Restricting runnable software to a
highly veto'd controllable list does not make any virus out of date.
There are a great many practical reasons and scenarios where this
cannot be done. There is a point at which you will close down the
system so tight that the users can no longer acheive all their work
with the systems provided to them. The chain of command will then
demand that some things become more open again. There is no perfect
solution at this time, and the best solution for a given scenario is
one which fits that scenario. Please stop giving extremist examples,
they are poor in the same way that an anology can be poor, it does not
cover all the bases.
 
> In  fact,  a  problem  of virii is one of the largest and most expensive
> hoaxes.  Antiviral  program  gives  no protection. You can treat it as a
> kind   of  auditing  tool  which  can  alert  you  in  a  case  of  poor
> administration  (you  must sack your administrator if you catch virii on
> your  internal  network)  and filter some junk mail on your mail server,
> like SPAM filter does.

I do not agree with this at all. The current invasiveness of a large
number of internet viruses is such that without anti-virus
applications and updated definitions, on a larger scale network no
administrator could filter all that data by hand. If you think that a
good system administrator can completely erradicate the possibility of
a virus infection then you have a screw loose. There is no desktop
solution currently available which is secure enough to offer this
dream scenario. To suggest so is once again contradictory to good
security principles. You should never assume you are safe. With this
attitude it is not unlikely that a network which you administer is in
fact currently under attack.

> I  have  different  opinions  on  this  question.  I  do  not  read this
> discussion  because I know answer, even for the case there is no network
> protocol  bound  to  port and no software service listening on it. I can
> point  you  to  real  life exploit with executing code directly from the
> port  (of  cause,  if you want to learn this dirty exploitation things).
> See "Bonus" section in
> http://www.security.nnov.ru/search/document.asp?docid=6145

That would be an exploit of a piece of software, which is running a
protocol on that port. The relevant line being: "IndigoPerl  reads
Perl script from COM1: port."
Once again you have made an incorrect assumption here. In fact your
statement "I know answer, even for the case there is no network
protocol  bound  to  port and no software service listening on it" is
completely false both for the real scenario and for the case you
provided yourself. Moreover the exploit you "knew the answer to" had
no bounds or meaning in the domain described to apply to the question
asked in that discussion. What is the vector for incoming data on a
port which has no applications reading its buffers?
 
> It means spending first 6 months without leaving a room for him, because
> he will not be able to leave the room without taking out his smart card.
> As  far  as I know human organism resources, you will need new CEO after
> one week if there is no water supply in the room. It must be really good
> test for CEO's IQ.

So you want a fully integrated smart card authentication and physical
security system running from the same cards. Well, now I just feel
upset. Are you aware of the reason why TCP/IP was made to be a
decentralised network?
I suppose I should suggest to the firm in my example that they rebuild
their entire physical  infrastructure to use smart cards, this would
also have to be linked in with the firesystem, and default to open
during a fire (by law in most countries), while I'm at it I will
request that they replace all of their desktops at the same time (so
that we get spangly new readers there too), meanwhile they will have
to move their entire office somewhere else. Thanks for the advice, the
shareholders didn't have the IT guy fired for that, they actively hung
him right there in the board room.

> And  to pay another guard to look after first guard, because he can also
> leave  for  launch.  More  people have access to the system, less secure
> system is. Today it's human to become weakest chain in security.

How pedantic of you, thanks.
There is no such thing as a "weak chain" in security. The are places
in a system with no holes and places with. If I can get in and run
code the game is up; end of story. Any breach is as bad as the next.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html