Thanks Christian, for this statement. It’s encouraging to see how much effort you put into this.
In terms of seriousness I’d weight the three given expressions as such: paranoid > aggressive > strict. Besides the fact Christian pointed out - that aggressive implies an offensive action - I’d argue that paranoid is also the term that’d bother a user the most. Scanning through the patch-notes or going through the default configuration the term ‘paranoia’ would likely raise someones attention and therefore promote a throughout review of this particular mode. At least that’s what I’d do. Cheers, Noël > On 18 Feb 2016, at 13:13, Christian Folini <christian.fol...@netnea.com> > wrote: > > Hello, > > We have finished the list of rule candidates for our little > pet project. I have a working implementation under > https://github.com/dune73/owasp-modsecurity-crs/tree/paranoia-mode > and I think it is time to sort out the naming question > before submitting the first pull request with the basic mechanics. > (-> see https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode > for an explanation of the 4 pull requests planned) > > I started out this project with the idea of an "on/off" setting. > Hence the idea of "mode". However, it became clear we are going > to work with a "level" ranging from 0-4 instead. So the idea of > "mode" no longer really applies. We need to find something better. > > But of course, the core question is, if this should be called > paranoia, paranoid, strict or agressive or something else. > > I opted for paranoia from the start and I still think it is the > right term. However, there has been opposition and we need to find > a solution everybody can agree with. I also think this is an > important discussion, as it is a non-technical discussion. So > everybody can chime in without being an expert and without running > lengthy tests in his lab. > > Let me open the discussion with my reasoning why "paranoia" is the > right term. I will then continue to discuss the other options > and then you can respond and tell me why I am wrong and why the > other options are much better suited.... > > "Paranoia" is the new normal. The more the attacks evolve and the > more servers we configure, the more we realise, there is no real > security without being paranoid. So while paranoia used to be > a negative term, it is getting a more and more positive connotation; > especially in IT security. > Google the terms > paranoid information security > and you will get 2M hits. One of the top ones is > http://www.darkreading.com/operations/the-perfect-infosec-mindset-paranoia-+-skepticism/a/d-id/1297596 > where the author says paranoia is the standard mindset now > (hence paranoia mode) and that you need to pair this with > skepticism (in other words: the tuning of your ruleset). > > Other hits include the following titles: > 13 Security and Privacy Tips for the Truly Paranoid > Security for the Paranoid - SecurityFocus > I became paranoid with computer security issues, I always ... > The paranoid CISO | CSO Online > Computer-Security Paranoia > openssl - How paranoid should the average user be about ... > > Looking through some of these hits, I get the felling that those > who really care about security acknowledge that they are paranoid > and that they think that is the right attitude. > > I also remember reading about paranoid security settings 10-20 years ago > and I would skip them immediately. Now, when looking at a new software > or product, the term paranoia immediately catches my eye and I read > about the most paranoid options first and then decide if the product is > any good. Without paranoia options, I think it must be a happy sunshine > hippy thing. > > Additionally, the term "PARANOID_MODE" is already there, even if it has > not been in wide use in the 2.2.X series of rules: > > 2.2.X> grep -r -i paranoi | wc -l > 9 > > The Merriam-Wester dictionary has multiple definitions for paranoia. > One of them is: > "a tendency on the part of an individual or group toward excessive or > irrational suspiciousness and distrustfulness of others" > > I think the adjectives "excessive", "irrational" "distrustful" > characterise our new functionality very well: When raising the level, > you are enabling additional rules, which will cause an excessive number > of false positives due to a general distrustful attitude towards user > submitted input. > > Ideally, two years down the line, ModSecurity (Core Rules) discussion > will run like this: > "Man, I should install ModSecurity and the Core Rules on my server, > but I heard false positives are going to kill me." > "No worries, as long as you keep the paranoia setting low, false > positives are minimal." > > Two weeks ago, the register ran a story about > Rob Joyce, head of NSA's Tailored Access Operations: > http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions/ > The article closed with the register quoting Joyce: > "At the end of the day it all boils down to knowing your network, > he said, and it’s vital that IT administrators pick up their game > and get paranoid about attacks." > > Well said. And the core rules paranoia feature is going to help > with this in a controlled way without killing you with > false positives on the first day of the installation. > > But let's look at the alternatives: "Strict" has been named as > a better term. I do not like strict. It implies that the standard > installation is not strict. Or that the default rules were not > strict. In fact they are very strict. Every single one of them. > It's just that they are more focused on less delicate aspects > of the requests. > > So I think the term does not work as it misleads the user into > making the wrong assumptions. You could say that running > the CRS in anomaly scoring mode and setting a threshold of >5 > is un-strict. But the individual rules are all strict from my > point of view. > > This is even more true, as we have Ryan Barnett's proposal to > use "aggressive". I think aggressive trumps strict as it > sounds more like a gradual setting in my ears (both terms > exist in German as well, so maybe these are false friends > for me and their meaning is a wee bit different in English). > > So this the new featureset would allow us to adjust how aggressive the > core rule set is. That does not sound too bad. It reminds me of a "teeth > metaphor" is use at times. A strong ruleset has strong teeth. By tuning > false positives, you pull a few of the teeth while keeping most of them > in place. The level of aggression adjusting with this new setting, would > thus add more teeth and the ruleset would thus become more aggressive. I > guess it's not overly wrong to think of piranhas in a pond. > > The root of the term comes with the idea of active defense. > It lets me thing of a strike back. Look up the term > aggressive on The Merriam Webster dictionary. All the > definitions point in that direction: > http://www.merriam-webster.com/dictionary/aggressive > Aggressive always means that you not only defend, but you attack > as well. > > (paranoia is entirely different in this regard. It does not > imply any counter strike) > > So I think aggressive does not entirely meet the character of the new > functionality, which is in line with the rest of the core rules set in > being entirely defensive. It just block attacks. It absolutely does not > attempt to shut down the client, inject malware into the response or > launch a DoS attack against the source IP address (which would all be > possible with the right set of rules). > > And what would be the complete term? Level of Aggression or > Level of Aggressiveness, Aggressiveness Setting? That all springs > to mind. And that just does not sounds very cool in my ears. > Or outrightly negative ("Level of Aggression!"). > > So all in all, I think we should work with paranoia. It's the best > I can think of right now. And I thought about this a lot. > > But now let me hear what you think about it! > > Please do not take too long. My first pull request is almost > ready, so let's come to a resolution in the next few days. > > Best regards, > > Christian > > > -- > Any technology that does not appear magical is insufficiently > advanced. > -- Gregory Benford > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
