Dailydave mailing list archives
Re: With great responsibility comes great power.
From: Gadi Evron <ge () linuxbox org>
Date: Sat, 30 Jun 2007 11:23:23 -0500
I don't believe there is anything in this thread which helps any of us, but although there is some limited truth I can agree to in what you write, equating information warfare to vulnerabilities is like equating war to guns. Yes, important analogies and correlations do exist, but it is irresponsible if given as empiric advice. Warfare is far from JUST the technology used, and if we are to listen to Clausewitz (who I humbly disagree with on this one point), completely irrelevant. You mentioned some interesting points on that vulnerabilities are ammuniction, of sorts, and that some vendors such as SCADA vendors are as clueless as most of the vendors we deal with were 10 years ago (rephrazing). Thess are important points. But your analogy of "information warfare, vulnerability less or more" is a simplification I can't live with. Gadi. On 2007-06-30 10:35+0300, Ari Takanen wrote:
Hello Lyndon,Date: Wed, 27 Jun 2007 12:02:12 +1200 From: lyndon sutherland <lyndons () paradise net nz> Subject: Re: [Dailydave] With great responsibility comes great power. To: dailydave () lists immunitysec com[snip]More seriously though, the paper "Cyber Warfare, An analysis of the means and motivations of selected nation states" from Dartmouth provides some insights: http://www.ists.dartmouth.edu/directors-office/cyberwarfare.pdf The paper is dated December 2004 so could be considered a little dated but certainly in my opinion worth a read.[snip] Thanks for the link! Browsing through the 142 pages of speculation, they finally caught the key point in two lines on page 132: "Resolve currently known software and hardware vulnerabilities in operating systems, server software, SCADA systems, and DCS systems." One could even take this further and say: Identify all critical systems (network equipment, operating systems, server software, client software, SCADA systems, and DCS systems), and test them for previously unknown security vulnerabilities using all possible means. For those systems that are used in critical systems, resolve all found or currently known software and hardware vulnerabilities. The situation in cyber-war is very simple: * attack capability: how many vulnerabilities (publicly known or unknown) you know about (accurate metric) * defense capability: how many vulnerabilities (known or unknown) you have in your systems (estimate metric) * threat: how many attack programs against those the opponent has (estimate metric) Fix the flaws you have, and you are secure. Do not fix the flaws that the opponent has, and you have ammunition. The strength has nothing to do with the size of the budget. Unfortunately today you do not need to spend any resources to have a cyberwar capability. Attacks are freely available, and most defenses are down. The greatest weakness today is that nobody is interested in testing the defense capability. If I showed a SCADA vendor a bunch of minus-infinity-day (well, it is not a zero-day if nobody but me knows about it) flaws they asked me if their customers knew about these flaws. You know what happens if I said their customers will never know about those flaws. That was several years ago, and the flaws are still there, waiting for their adversaries to find them. Most vendors are not interested in investing into proactive security. When the flaws are not known by anyone but a trusted party, they will not be fixed. When the vendors will be made to understand that this is the wrong attitude to security, we would not need public disclosure any more. Eliminating public disclosure in one way or the other would change the landscape significantly! People would have to find their own vulnerabilities to be able to exploit them. Best regards, /Ari -- -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- Ari Takanen Codenomicon Ltd. ari.takanen () codenomicon com Tutkijantie 4E tel: +358-40 50 67678 FIN-90570 Oulu http://www.codenomicon.com Finland PGP: http://www.codenomicon.com/codenomicon-key.asc -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-- -- "beepbeep it, i leave work, stop reading sec lists and im still hearing gadi" - HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: With great responsibility comes great power., (continued)
- Re: With great responsibility comes great power. Halvar Flake (Jun 25)
- Re: With great responsibility comes great power. Security Guy (Jun 25)
- Re: With great responsibility comes great power. Falcor (Jun 25)
- Re: With great responsibility comes great power. John Smith (Jun 25)
- Message not available
- Fwd: With great responsibility comes great power. matthew wollenweber (Jun 26)
- Re: With great responsibility comes great power. Florian Weimer (Jun 28)
- Re: With great responsibility comes great power. Halvar Flake (Jun 28)
- Re: With great responsibility comes great power. Gadi Evron (Jun 30)
- Re: With great responsibility comes great power. Lance M. Havok (LMH) (Jun 30)