Re: [fw-wiz] concerning ~el8 / project mayhem
From: Marcus J. Ranum (mjr@ranum.com)
Date: 08/18/02
- Next message: Paul D. Robertson: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- In reply to: ark@eltex.ru: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Next in thread: ark@eltex.ru: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Reply: ark@eltex.ru: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: ark@eltex.ru, darrenr@reed.wattle.id.au (Darren Reed) From: "Marcus J. Ranum" <mjr@ranum.com> Date: Sun Aug 18 02:07:17 2002
ark@eltex.ru wrote:
>I think of Project Mayhem as positive trend for IT security.
Yep. AIDS has been a tremendous boon for our understanding of
viruses and immunity, too. Don't expect gratitude from its victims... ;)
>It's time to realize that there are things that are unknown to white hat
>community and a security expert should _predict risks_ instead of using
>traditional these days model "there is a bug recently discovered,
Oh, COME OFF IT!! We've known THAT for EVER.
It's only the desperate vendors and security newbies who subscribe
to trivial penetrate-and-patch schemes. I've been known to advocate
penetrate-and-patch-real-fast as an alternative to penetrate-and-patch-in-user-time
but only out of frustrated desperation. Because the more obvious alternatives
aren't happening due primarily to market pressures and cluelessness.
Predicting risks is part of decent design - which is lacking in far too
many cases. But it's the basic process of blocking whole categories
of attacks, rather than nickle-and-diming your way to glory. For example,
instead of worrying about individual buffer overruns in specific applications,
the wise designer should be looking for tools and development practices to
tackle that entire class of software flaws. Basically, it's the design decision
behind "that which is not expressly permitted is prohibited" - one effective
way of blocking web-based attacks is to block web (for example). We were
recently discussing exactly that philosophy on this list in the context of
adding SSL support to MTAs. For the record, when I raised that issue, I
was NOT aware of the multiple vulnerabilities openSSL that were uncovered
a week later. But it did bolster my argument. "Nyah, nyah, I told you so."
There, I said it.
So, please don't say "people need to get out of 'penetrate and patch'" when
lots of us have been saying ALL ALONG that it's a bad idea. :) The fact
that a huge number of people and organizations continue to do security
design wrong is not because nobody knows how - unless you cound willful
ignorance.
mjr.
--- Marcus J. Ranum - Computer and communications Security Expertise mjr@ranum.com (http://www.ranum.com)
- Next message: Paul D. Robertson: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Previous message: Marcus J. Ranum: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- In reply to: ark@eltex.ru: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Next in thread: ark@eltex.ru: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Reply: ark@eltex.ru: "Re: [fw-wiz] concerning ~el8 / project mayhem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
