Re[6]: [Full-Disclosure] Response to comments on Security and Obscurity

From: 3APA3A (3APA3A_at_SECURITY.NNOV.RU)
Date: 09/02/04

  • Next message: Clairmont, Jan M: "RE: [Full-Disclosure] Response to comments on Security and Obscurity" 
    To: James Tucker <jftucker@gmail.com>
Date: Thu, 2 Sep 2004 17:41:39 +0400

    Dear James Tucker,

    --Thursday, September 2, 2004, 3:16:45 PM, you wrote to 3apa3a@security.nnov.ru:

    >> Even more. This is very common scenario and this scenario must be
    >> covered by security policy. You either unfamiliar with this problem our
    >> your information is out of date.

    JT> Security policies never "go out of date" and this scenario as you
    JT> agreed with me, is still common today. If it is still common then
    JT> please explain how is this "out of date"?

    Security policy is never our of date because it's reviewed on regular
    basis. It's your information about available solution that is out of
    date.

    JT> Even viri don't go "out of date", although many virus checkers
    JT> probably don't hold some of the really old DOS, amiga, apple and unix

    First, you constantly mess virii with worms and trojans. OK, lets think
    as you said "malware". If malware is out of date or not depends on
    protection method you use against it. If you use antivirus - OK. You're
    protected against known viruses and may be some future modifications of
    known viruses. This is very poor protection. A good protection is
    creating sandboxes on application, OS or hardware level. For example in
    a very simple case user can only run a signed application from allowed
    list most virii become out of date.

    In fact, a problem of virii is one of the largest and most expensive
    hoaxes. Antiviral program gives no protection. You can treat it as a
    kind of auditing tool which can alert you in a case of poor
    administration (you must sack your administrator if you catch virii on
    your internal network) and filter some junk mail on your mail server,
    like SPAM filter does.

    JT> virus definitions. As we have seen in another discussion on this
    JT> list there may well still be a risk of possible infection over
    JT> RS232, no mater how unlikely it is, I respect the author of that
    JT> question for asking about such possibilities. He was clearly trying
    JT> to cover all bases.

    I have different opinions on this question. I do not read this
    discussion because I know answer, even for the case there is no network
    protocol bound to port and no software service listening on it. I can
    point you to real life exploit with executing code directly from the
    port (of cause, if you want to learn this dirty exploitation things).
    See "Bonus" section in
    http://www.security.nnov.ru/search/document.asp?docid=6145

    JT> I am aware of this, however follow the same scenario through to
    JT> fruition and you will find the CEO doesn't bother to take out his
    JT> smart card, at least for the first 6 months of having one. Education

    It means spending first 6 months without leaving a room for him, because
    he will not be able to leave the room without taking out his smart card.
    As far as I know human organism resources, you will need new CEO after
    one week if there is no water supply in the room. It must be really good
    test for CEO's IQ.

    JT> it would have been more efficient
    JT> to pay a guard to stand at the door.

    And to pay another guard to look after first guard, because he can also
    leave for launch. More people have access to the system, less secure
    system is. Today it's human to become weakest chain in security. 

    -- 
~/ZARAZA
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Clairmont, Jan M: "RE: [Full-Disclosure] Response to comments on Security and Obscurity"
    • Quantcast