Re: Safe and Intrusive Category confusion

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/22/2009 08:12 PM, David Fifield wrote:
> On Sat, Sep 19, 2009 at 02:41:07AM -0400, Patrick Donnelly wrote:
> > I just was recently looking through some of the scripts' categories
> > and found some inconsistencies. Some of our scripts do not have an
> > intrusive or safe category. In previous discussions [1], the general
> > consensus was that safe and intrusive would be mutually exclusive
> > categories and each script would be in one of these two categories. I
> > did a check through our scripts to see which scripts were not safe and
> > not intrusive:
> >
> > (I edited one extraneous line out and one should note that the last
> > script, ssh-hostkey.nse is both safe AND intrusive??). I want to go
> > ahead and fix these scripts but wanted to make sure that having each
> > script be "safe" XOR "default" is the way to go?
>
> If this is the case, what do you think about deprecating intrusive and
> using "not safe" instead?
>
> I was trying to think of a reason not to have the safe XOR intrusive
> rule, but I couldn't think of any scripts that would be considered both
> safe and intrusive, or both not safe and not intrusive.

When I was first talking about the mutually exclusive, all encompassing Safe
and Intrusive categories, they weren't supposed to be necessary categories for
scripts to be placed into.  It was more like stressing a script is safe (or
whatever), or used when a script didn't really fall into any other category.
A script wasn't supposed to require either and not strictly considered either
(although it could always fit in one or the other).

Dropping Intrusive and using "not safe" doesn't really allow for this.  Now
every script that is safe must be categorized explicitly as Safe or its would
now be implicitly categorized as "intrusive" (not safe).

While I guess this may not pose a great concern, it does say that any script
not categorized as Safe is thrust into the "category" or "not safe".  While
this was of course the way it was before, "not safe" != "intrusive" since
scripts didn't have to say one way or another.  It wasn't required.

By this I mean every script should always have fit into Safe or Intrusive, but
they didn't have to.  Now they do because "not safe" would be equivalent to
"intrusive", since this would be all encompassing.

Hmm... but after rereading this, I realize I may have been more stuck on rules
than practicality :)

Also: while I doubt anybody likes this idea, if we were to drop one of the
categories I think it should be Safe.  I think it's more plausible for scripts
to be required to explicitly call themselves Intrusive than Safe.  You have to
make a script "not safe".  Besides, Intrusive scripts can do no harm and Safe
scripts could accidently cause problems.  But I'm sure there are more
arguments against this than I can already foretell :)

> David Fifield

Cheers,
Kris Katterjohn

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIcBAEBAgAGBQJKuaKTAAoJEEQxgFs5kUfuhSIP/0Bk+GcP9lQ/uWqlxho0LUxy
mOd8tOj50H48vF25IU+7pnQ0gvxtduWsrZVCuFRwFEl47eM/OT3KDpOP3rUfNiVC
jI4pGTaeOl8EMlH1sGKSxl9/bGQFdkckPQ0WbKo97HGIDORpAuwGqdHeBlEAtx5f
riZZg70Wo71iGSHHm+T/cLBuQjy6srb3A4opEy4x30B85TNjnv9HS4Rmi2MovWoi
E17qGITaJbV3ihZ69lrpq9iH2DP4bleNIayvySJlgCNettfYu3/Yajm9r5JD0s2x
+Ya89n1lkKrYr54C8sEi5T89TS2We4dhETI4qyZkjIUoEdYEdFqOw6MlOIlgBwqc
8c6P5/HDGRRBt528kKlhT8ML7ouNQrbacEoBkuChewcETnpMhoq3JSPtT9/fL8+G
Gw3FiuaIrdopFsPq+MWjxnKF2FA678yOfW0CxbcDHrnMKsiLLcaTkdTXIrO9Zjg5
YO4igZfxSm3ovXKFyMsoHfdkvkUcj+Pyn+8tWB3BpBV76PeF77gDY6T8Vd/TtaG5
VNdYitp3Wxw+KedVDWIZg5HxHVA8FMSB7cDMGEcuGCzKTaocDuGwlHOs3piJsgqF
EevCCHVj7qNCduKvhgLklojUN3yHkn1edlL/NRYtmf2CMuaUAqWpmhvGf5HIbTfm
Wi7HA5UeGp6oxxIcEar6
=mmAD
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org