Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Michael Krymson (krymsongmail.com)
Date: Thu Feb 26 2009 - 10:46:33 CST
The fun times of security semantics! I'd have to argue that DoS conditions
have the potential to be security issues. Then again, I'd also prefer not to
remove A from CIA, but this is not from the standpoint of a developer or
software vendor. I understand how that opinion changes based on
perspective... Maybe someone will be interested in some non-technical
A- A DoS condition is discovered in Apache. I can trigger it by sending a
specially crafted packet to Apache. Apache crashes. I can do this many times
until you stop me or Apache fixes it.
B- A DoS condition is discovered in Safari. I can trigger it by getting you
to go to my web page www.youhavenobusinessreasontobehere.com/goats.blah. You
hit my site, you decide not to come back after your browser bombs.
C- A DoS condition is discovered in Safari, the same as before. I can
trigger it by editing your intranet portal and inserting my lovely code. All
of your internal users need to use your intranet portal, but they all keep
crashing, crashing, crashing. Yikes!
I would suggest that DoS conditions are not a priori security issues, but it
certainly depends on the context and whether security has or could have an
*interest* in them.
I would suggest A is a security issue because more power is in the hands of
the attacker than the user. (Yeah, what a horrible definition that will be
once someone tears it up!)
I would suggest B is simply a bug and not something that really affects the
world too much.
I would suggest C is a security bug in the intranet portal, but the browser
crash is of a concern to security as well. It might not specifically be a
security issue in the browser, but the effect of it is a concern to
On Thu, Feb 26, 2009 at 9:21 AM, Thierry Zoller <Thierryzoller.lu> wrote:
> > Just because a bug class can crash an application
> > doesn't make it a security issue.
> A remotely triggerable DoS condition is a security issue per se, my
> opinion about the trend to remove the A in CIA for statisitca reasons
> can be read here :
> Thierry Zoller
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/