RE: [fw-wiz] concerning ~el8 / project mayhem

From: Crispin Harris (Harris_C@DeMorgan.com.au)
Date: 08/19/02 

From: Crispin Harris <Harris_C@DeMorgan.com.au>
To: "'Darren Reed'" <darrenr@reed.wattle.id.au>, mjr@ranum.com
Date: Mon Aug 19 08:01:03 2002

I want one! That sounds q00!l <grin>

"There is no classroom, you just have to be present and on-line and after
the first year he might (or might not) decide to give you one."

-----Original Message-----
> From: Darren Reed [mailto:darrenr@reed.wattle.id.au]
>
> In some email I received from Marcus J. Ranum, sie wrote:
> > That's not hacking technique, that's commonsense engineering.
>
> I find a lot of IT is just "commonsense engineering", but how things
> go so wrong is a mystery. Well, I guess if you're forced to use
> broken tools, what can be expected but a mishapen result ?

But so many programmers working on "Security Sensitive" code are not even
aware that there are published security coding practices, and buffer
overflow testing tools similar to the ones available for memory leakage
testing. More than once I have had extended (and sometimes loud) discussions
(read: arguments) with senior programmers who were supposed to hae
"significant" security programming experience.

> > I should have been more clear in my terminology: I meant that you
> > don't need to run around with a big encrypted CDROM full of your
> > toolz to be a security guru. You need to understand the forms and
> > functions of categories of attacks so you can defend against them
> > or design around them as _categories_ - having specific knowledge
> > (or toolz) to break specific versions of software on specific
architectures -
> > that's just lame script-kid stuff. And there are a kit of "security
> > analysts" whose level of expertise is more in the script kiddy vein
> > than not. Perhaps we should call them "Scanner-kiddies" ? ;)
>
> Careful Marcus, it is starting to sound like you're justifying things
> like CISSP that teach you lots about nothing ;-)
>
> Maybe you should start offering courses in security and give out
> certificates titled MRCRISP (Macrus Ranum Certified Real Information
> Security Professional. :-)

The biggest differentiator that I have seen is whether any particular
security consultant/professional has an understanding that security is a
Risk Management process and a Business Continuity Planning issue.

In particular in terms of Risk Management: "Dont spend more on securing a
service than you would lose through it's compromise or destruction."

To many "Security Professionals" are IT Geeks who have decided "Security
looks cool", so added a veneer of security tools and buzz phrases (to a
lesser or greater depth of understanding), rather that people who have added
an understanding of IT, process, and risk to an understanding of security
concepts (such as separation, depth, response and timeliness) and models.
[1]

Kind regards,
        Crispin Harris
Senior Security Consultant (Sydney)
DeMorgan Information Security Systems
Toll Free: 1800-DEMORG (33 66 74)
Office: 02-9929-0377 Fax: 02-9499 4885
============================
Collecting the kiddie toolz is book-keeping.
Writing the toolz is just an exercise in patience. - MJR

[1] Sorry, this is my pet soap-box, it runs on for over an hour unless my
wife hits me. :-)

----------------------------------------------------

 This correspondence is for the named person's use only. It may
 contain confidential or legally privileged information or both.
 No confidentiality or privilege is waived or lost by any
 mistransmission. If you receive this correspondence in error, please
 immediately delete it from your system and notify the sender. You
 must not disclose, copy or rely on any part of this correspondence
 if you are not the intended recipient.
 
 Any views expressed in this message are those of the individual sender,
 except where the sender expressly, and with authority, states them to
 be the views of DeMorgan Pty Ltd.
 
 This e-mail has been checked for known Viruses. It is the responsibility
 of the receiver to check their system for infected files and any such
 file is deemed not to be the responsibility of DeMorgan.

---------------------------------------------------------

Relevant Pages

  • Re: AppArmor FAQ
    ... don't require changing applications. ... modified to be SELinux aware - only a small handful of security aware ... bits in addition to ACLs or an SELinux label. ... understanding both SELinux policies and AppArmor profiles is ...
    (Linux-Kernel)
  • Re: Is it possible for someone to access my HD even though I am running a firewall?
    ... > Is there any possibility that my security has been compromised? ... A "personal" firewall is only as strong as the person that set it up. ... protection. ... understanding what they are doing. ...
    (comp.security.firewalls)
  • RE: [Full-Disclosure] More Unusual request
    ... However, other than a plea for "Understanding", I cannot decipher your ... > down the pipe I have been asked to help with the security ... > Full-Disclosure - We believe in it. ... > Charter: http://lists.netsys.com/full-disclosure-charter.html ...
    (Full-Disclosure)
  • [Full-Disclosure] More Unusual request
    ... 'Unusual request', I would also like to ask for help. ... new to security. ... is an "Understanding". ... them and diagnose them on our network. ...
    (Full-Disclosure)
  • Re: Check permissions on Folder
    ... | If I'm understanding this correctly then I will need to walk through the ... | "FileSystemAccessRules" and accumulate what's allowed and denied. ... | you try to create, delete, modify files and folders. ... the security API's are mainly meant to be used from ...
    (microsoft.public.dotnet.languages.csharp)