[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Response to comments on Security and Obscurity

To: <full-disclosure@xxxxxxxxxxxxxxxx>
Subject: RE: [Full-Disclosure] Response to comments on Security and Obscurity
From: "Clairmont, Jan M" <jan.m.clairmont@xxxxxxxxxxxxx>
Date: Wed, 1 Sep 2004 15:03:03 -0400

Dr. Swire:
First I have to laud your courage for venturing onto this forum of inconsolate
security derelicts.

If there is one thing to learn about the world after 911: everything is a
potential military target.  Infrastructure and the internet is certainly one 
that
needs to be secured.  The question is how draconic security is going to have to 
be.
With the advent of wireless 802.11b/g there will soon be no practical limit to 
access
and  adding 10-20 million new users a month on the world-wide web, as you
can imagine the mind boggling growth of potential problems.

With that said, it makes it too easy to piggyback off other people's access and 
remain totally anonymous on the internet and thus unleash any type of new 
attack or DoS.

There remains so much work in plugging holes, finding new ones and fixing 
them, that it is impossible for any large network, to plug them all.

The Clairmont-Everhardt Index of potential Security vulnerability being equal 
to the (Number of Computers)! * (Number of People using the systems)! * (Number 
of Ports)!
* (the Lines of Code)! * (The number of Applications)! * (Number of 
Routers/Hubs)! 
and any other factors you wish to include. 

Your article,in some ways, contains the essence of the problems that
are occurring and getting worse, not just what is secure and what is not, but 
that everything 
is a security risk. It is so easy to slip up, passwords thru e-mail, trivial 
passwords, 
unsecured cookies, trivial encryption, identity theft.  We can go on and on.

Potential answers are not in a new a group of AV, Firewall and security 
companies flailing around trying to keep
up.  It should be a centralized regulated effort to stop spam, virii, trojans, 
etc etc.
Now a centralized database with automated filtering, fault isolation, shutting 
down the badly infected,
is necessary and/or  going to  a true fully encrypted network is not the total 
answer. 
Too many people leave the barn door wide open.

But until that day we need some type of rapid response team to get things 
nailed down quickly.
And it needs to be centralized and it needs to have authority to plug the 
holes, put out the fires before they spread.
And that doesn't guarantee success.   It is a war on cyber terrorism, criminal 
activity and
that is not going to end overnight, someone is always willing to sell the keys 
to the kingdom.

My rant on that.  This is a perfectly good service that Homeland Security could 
provide with
a fairly modest budget.  The question is how to keep the whole business 
democratic without
denying access to the common user.  The answer is adequate user community 
oversight and
participation. The first part has been partially done with spam, it could 
gradually grow to 
contain, questionable sites(Porn, illegal services etc.), advertising offer 
sites, download sites,
spyware downloaders, mail filters (elminate redundant and frequent ad offers).  
Again the answer 
for the user community would be voluntary participation.  Frankly I don't know 
anyone who wants their
computer infected with this constant bombardment of junk I would love to have a 
centralize mail filter
to eliminate all this crap.

And your paper is a great start in that direction and I laud the effort.

I have been working in practical data security for over 20 years, from 
encryption, login password, intrusion
detection, firewalls, security policy, penetration testing etc. etc.  There is 
no single answer but
I think if we can work on a Six Sigma program to re-iterate the process and 
continue to improve we
can become more effective, so we all can fully enjoy the internet and the fun 
stuff.  I am plugging
holes in UNIX security and must get back to that never ending battle for truth 
justice and the
american internet hiway(with apologies to Superman).

Warm Regards,
Jan clairmont,KMGO
Paladin of Security

-

Prof. Peter P. Swire
Moritz College of Law of the
    Ohio State University
John Glenn Scholar in Public Policy Research
(240) 994-4142; www.peterswire.net

-----Original Message-----
From: Barry Fitzgerald [mailto:bkfsec@xxxxxxxxxxxxxxxx]
Sent: Wednesday, September 01, 2004 10:49 AM
To: Peter Swire
Cc: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] New paper on Security and Obscurity

Peter Swire wrote:

>Greetings:
>
>       I have been lurking on Full Disclosure for some time, and now would like
to
>share an academic paper that directly addresses the topic of “full
>disclosure” and computer security:
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Response to comments on Security and Obscurity
  - From: Valdis . Kletnieks

Prev by Date: [Full-Disclosure] Shellcoding Tutorial
Next by Date: [Full-Disclosure] Microsoft Update Loader msrtwd.exe
Previous by thread: Re: [Full-Disclosure] Shellcoding Tutorial
Next by thread: Re: [Full-Disclosure] Response to comments on Security and Obscurity
Index(es):
- Date
- Thread