Full Disclosure mailing list archives
Re: The Death of Defence in Depth ? - An invitation to Hack.lu
From: Sergio Alvarez <sergio.alvarez () nruns com>
Date: Wed, 10 Oct 2007 17:16:30 +0200
Hi FX, Those were Thierry's words, *not* mine. I want to make this clear so that there are no misunderstandings. The fact is that you is 100% correct, our talk will be about 'Defeating Defenses', specially focusing on border/perimeter and intranet defenses. We won't talk about defeating any defense in depth mechanisms (ie: like bypassing any exploitation preventions mechanisms). Cheers, Sergio Thierry Zoller wrote:
Dear Felix, While I love your comment and really welcome constructive criticism, I actually think you should keep the focus on the Fox News style question marks. Nowhere is being said that this is the end of Defence in Depth (as a paradigm), we ask the question. Then again you seem to be judging about something you haven't seen nor read. Is this because I ask the Fox News style questions and you give Fox News style comments ? FFL> the title is misleading at best. While I have the upmost respect of your person, in this particular case, I am sorry dude, but how can you tell ? Have you seen the presentation? Have you heard the conclusion? I don't think so? Though you are more than welcome to see it :) FFL> Defense in Depth has nothing to do FFL> with security software. In a certain sense it has. Defence in depth is a Paradigm as not only applied to how you design software but also how you implement solutions. The talk is about reality, not an RFC or CISSP Definition. FYI, while certainly not a reference, here is what Wikipedia has to say: "Defense in Depth is an Information Assurance (IA) strategy where multiple layers of defense are placed through out an Information Technology (IT) system and addresses personnel, technology and operations for the duration of the system's lifecycle." http://en.wikipedia.org/wiki/Defense_in_Depth_(computing) FFL> To the contrary. The paradigm describes an FFL> approach where you assume that invidual (even multiple) elements of your FFL> defense fall, in the worst possible way (which could be code FFL> execution). Thank you for the definition, though I must let you know I am fully aware of it. (I miss an mandatory RFC link) The presentation will talk of exactly that "...assume.. multiple elements of your defense fall" What currently is being done in the industry is to ADD more layers of defence to protect against one failing, this is being done by adding one parsing engine after the other. Again nobody said Defence in Depth is wrong in itself, it's just the way the Software Industry has led companies to implement it. _This_ is the point. Don't get me wrong, defence in depth as general Paradigm is perfectly fine :) But you would have had to listen to the talk to draw that conclusion, this is what I find most irrating about your comment. And it raises a big question mark as to your motivation for this public comment. FFL> What you are describing is people adding security software FFL> _instead_ of applying a thorough defense in depth design. I am describing nothing Felix, you are judging about a Presentation _you have not even seen_. How dare you !!! ==)))) FFL> Your presentation title suggests that one of the very few paradigms FFL> that actually promises long term security benefits does not work. Felix I am suggesting nothing, your are taking a friendly invitation as reason to bitch about how you THINK the talk will be given, though you have no clue. FFL> Wrong. I suggest you find a better title. Zu befehl ! =) The title fits the presentation perfectly, I find it rather arrogant and bloated to comment in this way and fashion on a public mailing list. I welcome any other comment to my personal Inbox, Phone, Fax whatever, I will ignore any other comment by public means before the actually talk was given and there is actual substance to start a discussion. I would have loved to receive a question before you shoot.
-- "If we knew what it was we were doing, it would not be called research, would it?", Albert Einstein ==================================================================== Sergio Alvarez Director of Research Security n.runs AG Nassauer Strasse 60 D-61440 Oberursel Germany phone: +49 6171 699 538 fax: +49 6171 699 199 email: sergio.alvarez () nruns com http://www.nruns.com Key fingerprint = B1E1 C0F2 89E6 575D 32DB A871 AAAA E025 B237 9274 Key ID = B2379274 security - network - technology - consulting - herstellerunabhaengig Registergericht Bad Homburg v.d. Hoehe, HRB 10399 Aufsichtsrat: Horst Marscholek (Vorsitzender) Ulrich Caspar Alexander Kersting Vorstand: Andreas Bruns (Vorsitzender) Donald Lee _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- The Death of Defence in Depth ? - An invitation to Hack.lu Thierry Zoller (Oct 09)
- Re: The Death of Defence in Depth ? - An invitation to Hack.lu Felix 'FX' Lindner (Oct 10)
- Re: The Death of Defence in Depth ? - An invitation to Hack.lu Thierry Zoller (Oct 10)
- Re: The Death of Defence in Depth ? - An invitation to Hack.lu Sergio Alvarez (Oct 10)
- Re: The Death of Defence in Depth ? - An invitation to Hack.lu Pavel Kankovsky (Oct 12)
- Re: The Death of Defence in Depth ? - An invitation to Hack.lu Thierry Zoller (Oct 10)
- Re: The Death of Defence in Depth ? - An invitation to Hack.lu Felix 'FX' Lindner (Oct 10)