Philosophical discussion of security (was: Re: [hackers-il] The wheel reinvention mystery)
- Apparently passions about the story are still hot around the nonprofit
in question. Anyway, I duly notice the diversion (change of topic) in
the discussion - from discussion of wheel reinvention vs. NIH to
management of security.
I am cross-posting this also to discussions@..., because the
altered topic is more appropriate to Hamakor discussions than to the
general philosophical atmosphere of Hackers-IL.
On Fri, 2006-09-22 at 02:06 +0300, Nadav Har'El wrote:
> On Thu, Sep 21, 2006, Omer Zak wrote about "[hackers-il] The wheel reinvention mystery":
> > A recent argument in Hamakor prompted me to consider the general
> > question why would people sometimes prefer not to reinvent the wheel,
> > and why would they be enthusiastic about reinventing the wheel.
> > http://tddpirate.livejournal.com/63135.html
> I posted my opinion on your post in your blog (under the heading "you're
> a bit confused" :-) ).
> Unlike you, the same Hamakor thread prompted me to ponder on a different
> topic - one that I raised on this list a few months ago. This is the question
> of how come every time that somebody uses "security" as a reason for some
> action (or inaction), people immediately take this as an acceptable
> explanation, even if it completely unfounded.
While I agree that the "S" word is frequently abused. We have been
experiencing it a lot in Israel, where political censorship, corruption
and environmental damage (TAASH in Hod Hasharon area, for example) were
hidden behind the veil of "Security".
However, in this specific case, I believe that nonstandard configuration
by knowledgeable people does promote security. The problem seems to be
the failure to take the complementary step of documenting the changes in
the system and ensuring that it is easy for someone else to pick up the
reins. (Think of what would happen if the first sysadmin were hit by a
> Also, people also tend about security as a binary thing, either there is
> "security" or there is "no security", and obviously "security" is better
> than "no security". In reality security is a broad spectrum, and there is
> *always* a tradeoff betwen more security at the cost of more money / less
> functionality / less convenience.
Yes. Please tell us what is your threat model and how (in your opinion)
should Hamakor deal with each threat.
A quick and dirty threat model is as follows:
1. Membership information - should be guarded (even if a single person's
ID can be easily obtained by other means, we do not want to release the
IDs of 100 people, about 50% of them are successful).
2. Financial accounting - can be viewed, must not be tampered with.
3. Web site - not to be defaced.
4. Wiki - occassional defacing is acceptable (everyone knows that wikis
are not as protected) but must be easy to detect and recover from
5. Mailing lists - must not be a vector for spam.
6. Worms and trojan horses - must at least be easy to detect and
--- The Captions Troll
In civilized societies, captions are as important in movies as
soundtracks, professional photography and expert editing.
My own blog is at http://tddpirate.livejournal.com/
My opinions, as expressed in this E-mail message, are mine alone.
They do not represent the official policy of any organization with which
I may be affiliated in any way.
WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html
- On Fri, Sep 22, 2006, Omer Zak wrote about "Philosophical discussion of security (was: Re: [hackers-il] The wheel reinvention mystery)":
> I am cross-posting this also to discussions@..., because theAre you looking for abuse? Posting on a heated subject, and in English, on
> altered topic is more appropriate to Hamakor discussions than to the
> general philosophical atmosphere of Hackers-IL.
the Hamakor list? I'm not joining your game, and returning this to hackers-il.
> > Also, people also tend about security as a binary thing, either there isYou (and the "first sysadmin" in question) is acting like Hamakor's site
> > "security" or there is "no security", and obviously "security" is better
> > than "no security". In reality security is a broad spectrum, and there is
> > *always* a tradeoff betwen more security at the cost of more money / less
> > functionality / less convenience.
> Yes. Please tell us what is your threat model and how (in your opinion)
> should Hamakor deal with each threat.
is some sort of unique site that needs unique protection. In fact, it and
your "threat list" is hardly unique. The threats you list are the same for
*every* web site: almost every web site wants not to be defaced, contains a
bit of personal data, does not want to be taken over by spammers, and so on.
So every "linux distribution", which already cater to web site builders,
already take these threats seriously. They already have timely and automatic
security updates, firewall, secure defaults, system-call firewall (i.e,
"selinux"), rootkit and change detection, stack-smashing-protection and many
Indeed, you may argue that these measures protect against the "typical"
threats, and may not protect against extremely dedicated and clever attackers
with zero-day attacks up their sleeve. So what - are you expecting any of
those to target Hamakor's site? If these attacks come on Hamakor ever, say,
10 years, what kind of functionality/cost/convenience cost are you agreeing
to incur in order to reduce their frequency to once every 20 years? (yes,
this is what the security/functionality tradeoff looks like).
Anyway, it appears you completely missed my most important point: perhaps
*some* of this sysadmin's actions are (somehow) justified by security.
But he hung *every* one of his actions on security, and you believe him
implicitly just because of the word "security".
For example, he refused to install Perl on the machine, stating that one
interpreter (PHP) is enough, and having another one will open more holes.
Really - do you seriously believe that? Perhaps one specific worm that depends
on Perl will fail on a machine without Perl, but do you seriously believe
that this will hinder a serious attacker for more than 5 minutes? How hard
is it for an attacker to install Perl himself, if he wants Perl *that* much?
And this "Perl" thing is just an example. It just goes to show you how easy
it is for people (like you) do defend bizarre actions just because they were
done in the name of "security" or have a weak smell of "security" in them.
> A quick and dirty threat model is as follows:Most web sites in fact contain MUCH MORE sensitive data than Hamakor's
> 1. Membership information - should be guarded (even if a single person's
> ID can be easily obtained by other means, we do not want to release the
> IDs of 100 people, about 50% of them are successful).
membership list (which only lists 200 people and does not contain any
financial information, credit card numbers, or anything even a bit interesting
to crackers). The fact you're getting overworked by a "list of ids" is very
strange, considering how you can find these ids everywhere: go to any
university and see id lists hanging on the wall or used as computer user ids,
for example. Lists (originally created for use in elections) of millions of
Israeli citizens, their personal details and ids, are floating around with
every criminal being able to get them.. Office buildings (like the one I
mentioned) already take the physical id cards of thousands of "successful"
(as you call them) people who come to the building, and can do with them
much more than just copying the id numbers.
> 2. Financial accounting - can be viewed, must not be tampered with.These have no business being on the Internet site, and never were on the site.
Nadav Har'El | Friday, Sep 22 2006, 29 Elul 5766
Phone +972-523-790466, ICQ 13349191 |Seen on the back of a dump truck:
http://nadav.harel.org.il |<---PASSING SIDE . . . . . SUICIDE--->