[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "Local" and "Remote" considered insufficient

To: "Steven M. Christey" <coley@mitre.org>
Subject: Re: "Local" and "Remote" considered insufficient
From: Ejovi Nuwere <ejovi@ejovi.net>
Date: Wed, 22 Oct 2003 23:44:03 -0400

Steve,

To summarize a vurnerability in one line is always difficult, more so when you are writting in a language other then your native tongue. Your ideas might help eleviate some of those troubles but not the core, in addition to language issues, most security researchers are simply poor writers. All of the complexities you detailed are very real, that is why there needs to be a simplified terminology.

While Local and Remote alone are clearly not enough, Local, Remote, Remote Level 1, Remote Beta and Remote Delta will not help either.

The idea of Local, Remote, and Remote Authenticated sounds nice and I would love to see more researchers adhere to this phrasing or something similar to the risk catagories vurnerability scanners use. Low, Medium and High, three classifications, then let the end user sort them out.

Now only if we knew someone at MITRE that could make this happen...

ejovi

So, to echo Florian's comments, "local" and "remote" is not sufficient
in fully evaluating the severity of a vulnerability in a particular
environment.

- Steve

P.S.  Credits to Adam Shostack and Scott Blake for initially educating
me about the role of authentication in "local" vs. "remote"
terminology.

Follow-Ups:
- Re: "Local" and "Remote" considered insufficient
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- "Local" and "Remote" considered insufficient
  - From: "Steven M. Christey" <coley@mitre.org>

Prev by Date: [LSD] Security vulnerability in SUN's Java Virtual Machine implementation
Next by Date: Shatter XP
Previous by thread: "Local" and "Remote" considered insufficient
Next by thread: Re: "Local" and "Remote" considered insufficient
Index(es):
- Date
- Thread