On Tue, 12 Dec 2000, Kathy wrote:
> It appears Bruce does not think very highly of SANS. Is SANS lacking
Bruce doesn't seem to think highly of anyone else in the security space
as far as I can tell, however remember that he's a cryptographer, not a
general security person.
> the credibility or as dubious as Bruce makes them sound? I heard SANS
> has a decent security conference. Is there better alternatives or
> recommendations?
SANS' conferences are well-worth attending.
>
> In the article, Bruce recommends against SANS rewarding writing a
> virus that auto-fixes a vulnerability. I agree with Bruce in that the
> cure might be worse than the actual vulnerability, but has anyone
> tried this? Did they do it because of the SANS reward?
I'm not aware of significant activity in that space, and everyone who's
considered virally protecting people has eventually shook their heads and
decided that it's a worse idea than it seemed initially.
Bruce's article isn't exactly canonical, here are some examples of issues
with it:
Computer programs have more than two types of vulnerabilities, and the
oversimplification doesn't do anyone any good.
He also misses two of the most significant issues with "good viruses",
malicious copycats is the most obvious, and their affect on anti-virus
products running in heuristic mode is the second. Making the AV industry
decide how to handle such code isn't the best place to put them either.
Viruses "by their very nature" don't _have_ to spread in a chaotic and
unchecked nature, like any program they're full capable of scheduling,
hierarchical propagation and even checking before executing replicating
code. It's advantageous for malcode authors to use massive chaotic
infection paterns, but it's not a base need for sucess or an
architectural requirement.
His general conclusions are solid, but not earth shattering. Predicting
that there are more serious flaws in MS products is like predicting that
tomrorrow there will be weather.
Don't let Bruce talk you out of attending a SANS conference, and don't let
SANS' occasional fit of stupidity scare you away either. Their
conferences are worth the effort (CSI is in the same ballpark.)
If you're looking for serious technical depth with interesting stuff, but
not a lot of straight practicality, USENIX Security is _THE_ security
conference IMO.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
