Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: [Full-Disclosure] Response to comments on Security and Obscurity
From: Clairmont, Jan M (jan.m.clairmontcitigroup.com)
Date: Wed Sep 01 2004 - 14:03:03 CDT
First I have to laud your courage for venturing onto this forum of inconsolate
If there is one thing to learn about the world after 911: everything is a
potential military target. Infrastructure and the internet is certainly one that
needs to be secured. The question is how draconic security is going to have to be.
With the advent of wireless 802.11b/g there will soon be no practical limit to access
and adding 10-20 million new users a month on the world-wide web, as you
can imagine the mind boggling growth of potential problems.
With that said, it makes it too easy to piggyback off other people's access and
remain totally anonymous on the internet and thus unleash any type of new
attack or DoS.
There remains so much work in plugging holes, finding new ones and fixing
them, that it is impossible for any large network, to plug them all.
The Clairmont-Everhardt Index of potential Security vulnerability being equal
to the (Number of Computers)! * (Number of People using the systems)! * (Number of Ports)!
* (the Lines of Code)! * (The number of Applications)! * (Number of Routers/Hubs)!
and any other factors you wish to include.
Your article,in some ways, contains the essence of the problems that
are occurring and getting worse, not just what is secure and what is not, but that everything
is a security risk. It is so easy to slip up, passwords thru e-mail, trivial passwords,
unsecured cookies, trivial encryption, identity theft. We can go on and on.
Potential answers are not in a new a group of AV, Firewall and security companies flailing around trying to keep
up. It should be a centralized regulated effort to stop spam, virii, trojans, etc etc.
Now a centralized database with automated filtering, fault isolation, shutting down the badly infected,
is necessary and/or going to a true fully encrypted network is not the total answer.
Too many people leave the barn door wide open.
But until that day we need some type of rapid response team to get things nailed down quickly.
And it needs to be centralized and it needs to have authority to plug the holes, put out the fires before they spread.
And that doesn't guarantee success. It is a war on cyber terrorism, criminal activity and
that is not going to end overnight, someone is always willing to sell the keys to the kingdom.
My rant on that. This is a perfectly good service that Homeland Security could provide with
a fairly modest budget. The question is how to keep the whole business democratic without
denying access to the common user. The answer is adequate user community oversight and
participation. The first part has been partially done with spam, it could gradually grow to
contain, questionable sites(Porn, illegal services etc.), advertising offer sites, download sites,
spyware downloaders, mail filters (elminate redundant and frequent ad offers). Again the answer
for the user community would be voluntary participation. Frankly I don't know anyone who wants their
computer infected with this constant bombardment of junk I would love to have a centralize mail filter
to eliminate all this crap.
And your paper is a great start in that direction and I laud the effort.
I have been working in practical data security for over 20 years, from encryption, login password, intrusion
detection, firewalls, security policy, penetration testing etc. etc. There is no single answer but
I think if we can work on a Six Sigma program to re-iterate the process and continue to improve we
can become more effective, so we all can fully enjoy the internet and the fun stuff. I am plugging
holes in UNIX security and must get back to that never ending battle for truth justice and the
american internet hiway(with apologies to Superman).
Paladin of Security
Prof. Peter P. Swire
Moritz College of Law of the
Ohio State University
John Glenn Scholar in Public Policy Research
(240) 994-4142; www.peterswire.net
From: Barry Fitzgerald [mailto:bkfsecsdf.lonestar.org]
Sent: Wednesday, September 01, 2004 10:49 AM
To: Peter Swire
Subject: Re: [Full-Disclosure] New paper on Security and Obscurity
Peter Swire wrote:
> I have been lurking on Full Disclosure for some time, and now would like
>share an academic paper that directly addresses the topic of “full
>disclosure” and computer security:
Full-Disclosure - We believe in it.
Full-Disclosure - We believe in it.