Re: FW: *ICN - A Conspiracy of Inertia?
From: Michal Zalewski (lcamtuf@coredump.cx)Date: 03/19/02
- Previous message: Vern Paxson: "Re: Statistical Anomaly Analysis?"
- In reply to: Benjamin Tomhave: "FW: *ICN - A Conspiracy of Inertia?"
- Next in thread: o00o_j: "Re: FW: *ICN - A Conspiracy of Inertia?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Mar 2002 12:23:56 -0500 (EST) From: Michal Zalewski <lcamtuf@coredump.cx> To: Benjamin Tomhave <falcon@cybersecret.com>
On Mon, 18 Mar 2002, Benjamin Tomhave wrote:
> Has anybody else heard about this? It seems to uphold a principal that
> I've tried to consistently apply throughout my security career --
> working with known quantities whenever possible and configuring systems
> to only accept those known quantities. Even if the software is
> ficticious, it represents the possibility for a paradigm shift from the
> perspective of IDS, among other things. Thoughts?
Don't see a new paradigm here, really. The fact that current attacks are
very often not subtle does not imply it is possible to build a formal
model of "acceptable" behavior and reject everything else to prevent all
sorts of attacks. It will surely stop most obvious ones, but so what? It
gives you little added security and severely impairs functionality, boosts
deployment costs. It is used right now in certain mission-critical
applications.
It is a question of acceptable security-to-functionality ratio. For most
systems, it is fairly low. Flexibility decreased ten times, deployment
costs increased 100 times is not the way for a typical webserver owner to
get rid of "most obvious attacks" - having a good sysadm is probably much
better. The guy is coming from the world of very well founded, carefully
developed (sometimes for years), precisely defined single-purpose systems
that do not evolve over time and are supposed to do very specific tasks
and nothing else. And yes, if you have a very specific critical database
installation, enormous funds, lots of time and so on, you should and
probably will build a custom, well-controlled system with very strong
execution flow control and so on and so on. But most of us do not live in
such reality, and most of people want programs featured, flexible, cheap
and delivered fast. It is the market, not the vendor conspiracy. The
comment I noticed, "This guy simply has no idea how big and stupid the
world is" probably summarizes my feelings about it pretty well.
-- _____________________________________________________ Michal Zalewski [lcamtuf@bos.bindview.com] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
- Previous message: Vern Paxson: "Re: Statistical Anomaly Analysis?"
- In reply to: Benjamin Tomhave: "FW: *ICN - A Conspiracy of Inertia?"
- Next in thread: o00o_j: "Re: FW: *ICN - A Conspiracy of Inertia?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
