$0.02: "Defense in Depth" means *reducing* attackable surface, *reducing* execution privilege, *reducing* complexity, etc. If you guys are criticizing the ongoing trend towards enterprise-wide AV monitoring and routing all network traffic through SSL-terminating deep-packet-inspecting content-filtering 1U rack mount appliances, well, that's more like the exact opposite. That's more surface area, more complexity, and more privilege. I'd call it "Defense in Breadth." - Eric Thierry Zoller wrote: > Dear Felix, > While I love your comment and really welcome constructive criticism, > I actually think you should keep the focus on the Fox News style > question marks. Nowhere is being said that this is the end of > Defence in Depth (as a paradigm), we ask the question. > > Then again you seem to be judging about something you haven't seen > nor read. Is this because I ask the Fox News style questions and you > give Fox News style comments ? > > FFL> the title is misleading at best. > While I have the upmost respect of your person, in this particular > case, I am sorry dude, but how can you tell ? Have you seen the > presentation? Have you heard the conclusion? I don't think so? > Though you are more than welcome to see it :) > > FFL> Defense in Depth has nothing to do > FFL> with security software. > In a certain sense it has. Defence in depth is a Paradigm as not only > applied to how you design software but also how you implement solutions. > The talk is about reality, not an RFC or CISSP Definition. > > FYI, while certainly not a reference, here is what Wikipedia has to say: > "Defense in Depth is an Information Assurance (IA) strategy where > multiple layers of defense are placed through out an Information > Technology (IT) system and addresses personnel, technology and > operations for the duration of the system's lifecycle." > http://en.wikipedia.org/wiki/Defense_in_Depth_(computing) > > FFL> To the contrary. The paradigm describes an > FFL> approach where you assume that invidual (even multiple) elements of your > FFL> defense fall, in the worst possible way (which could be code > FFL> execution). > Thank you for the definition, though I must let you know I am fully > aware of it. (I miss an mandatory RFC link) The presentation will > talk of exactly that "...assume.. multiple elements of your defense fall" > > What currently is being done in the industry is to ADD more layers of > defence to protect against one failing, this is being done by adding > one parsing engine after the other. Again nobody said Defence in Depth > is wrong in itself, it's just the way the Software Industry has led > companies to implement it. _This_ is the point. > > Don't get me wrong, defence in depth as general Paradigm is perfectly > fine :) But you would have had to listen to the talk to draw that > conclusion, this is what I find most irrating about your comment. And > it raises a big question mark as to your motivation for this public > comment. > > FFL> What you are describing is people adding security software > FFL> _instead_ of applying a thorough defense in depth design. > I am describing nothing Felix, you are judging about a Presentation > _you have not even seen_. How dare you !!! ==)))) > > FFL> Your presentation title suggests that one of the very few paradigms > FFL> that actually promises long term security benefits does not work. > Felix I am suggesting nothing, your are taking a friendly invitation > as reason to bitch about how you THINK the talk will be given, though > you have no clue. > > FFL> Wrong. I suggest you find a better title. > Zu befehl ! =) > > The title fits the presentation perfectly, I find it rather arrogant > and bloated to comment in this way and fashion on a public mailing > list. I welcome any other comment to my personal Inbox, Phone, Fax > whatever, I will ignore any other comment by public means before > the actually talk was given and there is actual substance to start > a discussion. I would have loved to receive a question before you > shoot. > -- "If we knew what it was we were doing, it would not be called research, would it?", Albert Einstein
<<attachment: winmail.dat>>
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/