Full Disclosure mailing list archives

RE: Response to comments on Security and Obscurity

From: "Clairmont, Jan M" <jan.m.clairmont () citigroup com>
Date: Thu, 2 Sep 2004 11:04:31 -0400

Valdis:
Ah so you wish to refine the clairmont-everhardt index of
security vulnerabilities? We are using fuzzy logic rigor.
So what would the formula be:

It would become Kletniek's Corollary to the Clairmont-Everhardt
Index of Security Vulnerability.

Kudos to you Valdis.8->

You are hereby awarded the Paladin of Security Award for Thoughtful
Reductionism  and all the rights and privileges that it entails.
8-> You may pick up your certificate at the nearest staples and 
right in your own recommendation for Paladin of Security Highest 
Achievement Award.

Or write me with a self-addressed stamped envelope I'll send you the 
certificate suitable for framing. Jan Clairmont, Paladin Security/MGO Consulting
                                            112 Delaware St. Suite 2
                                             New Castle, DE 19720

-----Original Message-----
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Thursday, September 02, 2004 10:39 AM
To: Clairmont, Jan M
Cc: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Response to comments on Security and
Obscurity 


On Wed, 01 Sep 2004 15:03:03 EDT, "Clairmont, Jan M" said:

The Clairmont-Everhardt Index of potential Security vulnerability being equal 
to the (Number of Computers)! * (Number of People using the systems)! * (Number of Ports)!
* (the Lines of Code)! * (The number of Applications)! * (Number of Routers/Hubs)! 
and any other factors you wish to include.


Given the "any other factors" clause, I won't ask what mathematically rigorous
reason there is to suspect that the factorial function is the proper one to use. :)

For starters, although our network has well over 2,000 routers/switches/access points,
the number that are directly impacting the security of the computer I'm typing on
is down in the several dozen range.  Similarly, one could make the case that it
should be "(number of computers)" and "(*AVERAGE* number of people per system)"
or a product of "number of users" times "number of systems each user has access to".

And so on....

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Security & Obscurity: physical-world analogies, (continued)
- - Security & Obscurity: physical-world analogies Peter Swire (Sep 02)
    - Re: Security & Obscurity: physical-world analogies Dave Aitel (Sep 02)
    - Re: Security & Obscurity: physical-world analogies Frank Knobbe (Sep 02)
    - Re: Re: Security & Obscurity: physical-world analogies James Tucker (Sep 02)
    - Re: Re: Security & Obscurity: physical-world analogies Frank Knobbe (Sep 02)
    - Re: Re: Re: Security & Obscurity: physical-world analogies James Tucker (Sep 02)
    - Re: Security & Obscurity: physical-world analogies gadgeteer (Sep 03)
    - Re: Re: Security & Obscurity: physical-world analogies Tig (Sep 03)
    - Message not available
    - Re: Re: Security & Obscurity: physical-world analogies gadgeteer (Sep 03)
    - Re: Re: Security & Obscurity: physical-world analogies ASB (Sep 05)
- RE: Response to comments on Security and Obscurity Clairmont, Jan M (Sep 02)
- Re: Response to comments on Security and Obscurity Security List (Sep 02)
  - Re: Response to comments on Security and Obscurity James Tucker (Sep 02)
    - Re: Response to comments on Security and Obscurity Über GuidoZ (Sep 03)