Re: controversial paper

From: John A. Malley (102667.2235_at_compuserve.com)
Date: 09/28/03 

Date: Sun, 28 Sep 2003 11:19:07 -0700

[...]

>
> I think that there is a problem that has no 'absolutely'
> definite answer: If one installs some software (freeware
> or not) to counter certain bad actions of type X, how
> could one be sure that that software doesn't surreptitiously
> contain stuff that could initiate bad actions of type Y
> (Y could be identical to X, of course)?

Two things come to mind:

1) Web of Trust
2) Partitioning with Isolation (breach containment)

Web of trust is the first thing to pop into my head to describe the
notion of reputation of a source among individuals or entities that one
respects, and who vouch for the security threat posed by the source. The
BBB is such a "web of trust" with respect to small businesses operating
in a U.S. community. The AAA is such a "web of trust" with respect to
automotive repair and accommodations for travelers in the U.S.

Partitioning with Isolation is what I'm calling concentric or recursive
sequestering of data/information into separate logical pieces, or
domains of access, such that the value of information stored and
accessed in one area is different than in other areas, the ability to
transfer and access data across boundaries is regulated and/or audited
in proportion to the max data value of a pair of communicating domains,
and complete knowledge and control of any domain's stored data never
gives access to any more valuable domain's knowledge, but may (if one
risks it) give access to lessor value domains' knowledge.

Think of it as Defense in Depth.

So in my personal example, the machine on which I installed the screen
saver should hold data whose value is such that I'm ok with its leaking
out onto the Internet. And more sensitive data gets stored on another
machine that is not networked into this machine, and has perhaps no
access to the Internet. And the machine with the screen saver can never
physically link to it.

And the screen saver is downloaded from web sites connected to major
studios or entertainment powerhouses. And I monitor webzines for reports
on spybots as reported by others. And I monitor the reputation of the
supplier of the spybot detector, who also provides tools and information
on a variety of security issues. And includes cryptographic hashes of
the binaries, but alas, I trust him on the binaries because he doesn't
offer the source. But, my firewall records outgoing as well as incoming
activity, and I compare that against what I authorized on this machine.

These are qualitative defenses. Dissimilar qualitative defenses afford
the best defense*, where dissimilar means different with respect to
technology, design, maintenance, manufacture or operation, such that no
common mode error (of maintenance, manufacture, operation, design,
implementation) defeats the defenses of two or more protective domains.

I presented a paper at the SAE ACE 2003 conference in Montreal two weeks
ago on this same concept as applied to airplane systems design -
qualitative robustness analysis (and quantitative robustness analysis)
to demonstrate systems robustness [*] with respect to Unknown Unknowns,
unanticipated failure modes and failure rates of systems components, and
unanticipated errors in design, maintenance, operation, environment, for
systems with catastrophic functional hazards. I'm thinking of ways to
apply the concept to information systems and that's why I'm monitoring
this thread. (If anyone wants a copy of that paper in PDF form just
email me. I don't want to put it up on a web site just yet, I need to
double check the SAE copyright terms.) I've not read the controversial
paper yet, and I want to go off and read it ASAP so I can better
participate in this thread. I need a few days - my day job is taking up
most of my time lately, that and the fact that my laptop computer
crashed and is now in the shop! Hence this lesser spare I fumble with
today. :-( (I still owe Mxmaster(?) and Ben Mord and others fair
responses to questions they asked of me!)

John A. Malley
102667.2235@compuserve.com

Relevant Pages

  • Re: B&B: Brookes "Belief" profits
    ... >> her Dad didn't trust her enough to tell her about this??)... ... > Forrester and has benefited from the increase in prices. ... The designers are hired to design. ... we all live lives of endless drivel. ...
    (rec.arts.tv.soaps.cbs)
  • Re: Why everyone uses envelopes but few encrypt emails?
    ... I need to trust my security software first and foremost, and with your pathetic attempt at deception you've squandered my trust before I even had a chance to look at the product. ... I figured the product would be closed-source, but I thought there might at least be a rigorous design specification. ...
    (sci.crypt)
  • Re: [Full-Disclosure] Sick of stupid analogies
    ... > What is with the current state of debate in the Information Technology ... Security defenders have to design fortifications to keep out ... >> defenses, ... >> So how good is the internal security being practiced by the hiring firm? ...
    (Full-Disclosure)
  • Re: Event Procedures stopped working
    ... design view still shows events and can open VB editor from the buttons event ... To trust your folder, click: ... Access Options ...
    (microsoft.public.access.modulesdaovba)
  • Re: [Full-Disclosure] Sick of stupid analogies
    ... What is with the current state of debate in the Information Technology ... Security defenders have to design fortifications to keep out ... > defenses, ... > So how good is the internal security being practiced by the hiring firm? ...
    (Full-Disclosure)