[Full-Disclosure] Response to comments on Security and Obscurity
jftucker at gmail.com
Thu Sep 2 16:01:19 BST 2004
This is my last post on this conversation. As I am now finding it hard
to be reasonable in my responses.
On Thu, 2 Sep 2004 17:41:39 +0400, 3APA3A <3apa3a at security.nnov.ru> wrote:
> Security policy is never our of date because it's reviewed on regular
> basis. It's your information about available solution that is out of
Solutions being available and common implementations are two very
different things. I would love to spend $5M a year on security, but
the company does not make that much profit.
> First, you constantly mess virii with worms and trojans. OK, lets think
> as you said "malware". If malware is out of date or not depends on
> protection method you use against it. If you use antivirus - OK. You're
> protected against known viruses and may be some future modifications of
> known viruses. This is very poor protection. A good protection is
> creating sandboxes on application, OS or hardware level. For example in
> a very simple case user can only run a signed application from allowed
> list most virii become out of date.
This is confusing to me. The meaning of "out of date" is something
which no longer applies due to age. Restricting runnable software to a
highly veto'd controllable list does not make any virus out of date.
There are a great many practical reasons and scenarios where this
cannot be done. There is a point at which you will close down the
system so tight that the users can no longer acheive all their work
with the systems provided to them. The chain of command will then
demand that some things become more open again. There is no perfect
solution at this time, and the best solution for a given scenario is
one which fits that scenario. Please stop giving extremist examples,
they are poor in the same way that an anology can be poor, it does not
cover all the bases.
> In fact, a problem of virii is one of the largest and most expensive
> hoaxes. Antiviral program gives no protection. You can treat it as a
> kind of auditing tool which can alert you in a case of poor
> administration (you must sack your administrator if you catch virii on
> your internal network) and filter some junk mail on your mail server,
> like SPAM filter does.
I do not agree with this at all. The current invasiveness of a large
number of internet viruses is such that without anti-virus
applications and updated definitions, on a larger scale network no
administrator could filter all that data by hand. If you think that a
good system administrator can completely erradicate the possibility of
a virus infection then you have a screw loose. There is no desktop
solution currently available which is secure enough to offer this
dream scenario. To suggest so is once again contradictory to good
security principles. You should never assume you are safe. With this
attitude it is not unlikely that a network which you administer is in
fact currently under attack.
> I have different opinions on this question. I do not read this
> discussion because I know answer, even for the case there is no network
> protocol bound to port and no software service listening on it. I can
> point you to real life exploit with executing code directly from the
> port (of cause, if you want to learn this dirty exploitation things).
> See "Bonus" section in
That would be an exploit of a piece of software, which is running a
protocol on that port. The relevant line being: "IndigoPerl reads
Perl script from COM1: port."
Once again you have made an incorrect assumption here. In fact your
statement "I know answer, even for the case there is no network
protocol bound to port and no software service listening on it" is
completely false both for the real scenario and for the case you
provided yourself. Moreover the exploit you "knew the answer to" had
no bounds or meaning in the domain described to apply to the question
asked in that discussion. What is the vector for incoming data on a
port which has no applications reading its buffers?
> It means spending first 6 months without leaving a room for him, because
> he will not be able to leave the room without taking out his smart card.
> As far as I know human organism resources, you will need new CEO after
> one week if there is no water supply in the room. It must be really good
> test for CEO's IQ.
So you want a fully integrated smart card authentication and physical
security system running from the same cards. Well, now I just feel
upset. Are you aware of the reason why TCP/IP was made to be a
I suppose I should suggest to the firm in my example that they rebuild
their entire physical infrastructure to use smart cards, this would
also have to be linked in with the firesystem, and default to open
during a fire (by law in most countries), while I'm at it I will
request that they replace all of their desktops at the same time (so
that we get spangly new readers there too), meanwhile they will have
to move their entire office somewhere else. Thanks for the advice, the
shareholders didn't have the IT guy fired for that, they actively hung
him right there in the board room.
> And to pay another guard to look after first guard, because he can also
> leave for launch. More people have access to the system, less secure
> system is. Today it's human to become weakest chain in security.
How pedantic of you, thanks.
There is no such thing as a "weak chain" in security. The are places
in a system with no holes and places with. If I can get in and run
code the game is up; end of story. Any breach is as bad as the next.
Full-Disclosure is hosted and sponsored by Secunia.