Re: "Local" and "Remote" considered insufficient

From: Ejovi Nuwere (ejovi_at_ejovi.net)
Date: 10/23/03

  • Next message: xenophi1e: "Shatter XP" 
    Date: Wed, 22 Oct 2003 23:44:03 -0400
To: "Steven M. Christey" <coley@mitre.org>

    Steve,

    To summarize a vurnerability in one line is always difficult, more so
    when you are writting in a language other then your native tongue. Your
    ideas might help eleviate some of those troubles but not the core, in
    addition to language issues, most security researchers are simply poor
    writers. All of the complexities you detailed are very real, that is why
    there needs to be a simplified terminology.

    While Local and Remote alone are clearly not enough, Local, Remote,
    Remote Level 1, Remote Beta and Remote Delta will not help either.

    The idea of Local, Remote, and Remote Authenticated sounds nice and I
    would love to see more researchers adhere to this phrasing or something
    similar to the risk catagories vurnerability scanners use. Low, Medium
    and High, three classifications, then let the end user sort them out.

    Now only if we knew someone at MITRE that could make this happen...

    ejovi

    > So, to echo Florian's comments, "local" and "remote" is not sufficient
    > in fully evaluating the severity of a vulnerability in a particular
    > environment.
    >
    > - Steve
    >
    > P.S. Credits to Adam Shostack and Scott Blake for initially educating
    > me about the role of authentication in "local" vs. "remote"
    > terminology.
    >

  • Next message: xenophi1e: "Shatter XP"

    Relevant Pages

    • Re: .NET features youd like to see in Win32
      ... to stick with the language they feel more comfortable with. ... One small note for how 'remote procedure/function calls' are streamed. ... In fact our code, tailored for our needs is rather simple, streaming only the things that we need. ... Of course, for this to work, CodeGear should provide ) the units/files with the above framework for the other programming languages. ...
      (borland.public.delphi.non-technical)
    • Re: "Local" and "Remote" considered insufficient
      ... > when you are writting in a language other then your native tongue. ... > ideas might help eleviate some of those troubles but not the core, ... > Remote Level 1, Remote Beta and Remote Delta will not help either. ... > similar to the risk catagories vurnerability scanners use. ...
      (Bugtraq)
    • Re: Everything is a distributed object
      ... Is it possible to send an object as a parameter to a method of a remote ... of distributing floating-point numbers across remote heterogenous ... Probably middleware services should be integrated into the language ... You can put all three layers on different machines, ...
      (comp.object)
    • RE: Problem with XP Remote Desktop and GP Regional Settings.
      ... sessions. ... Because the default input language / keyboard in the remote ...
      (microsoft.public.windows.server.sbs)
    • Re: "Local" and "Remote" considered insufficient
      ... To summarize a vurnerability in one line is always difficult, ... when you are writting in a language other then your native tongue. ... there needs to be a simplified terminology. ... While Local and Remote alone are clearly not enough, Local, Remote, ...
      (Vuln-Dev)
    • Quantcast