Hello Walter, Thank you for you heads up. You are probably right about the length of the message. I wanted to put as many arguments on the table as possible. But now I fear I have silenced the opposition.
Hopefully, Manuel and Chaim find time for a message sooner or later. Ahoj, Christian On Fri, Feb 19, 2016 at 08:30:27PM +0100, Walter Hop wrote: > Hi Christian, > > You make some very good points! Meanwhile there seems to be a correlation > between the length of a mailinglist post and the number of replies ;) I’m not > too bothered with the name, I originally offered “strict” but I can live > perfectly with paranoia! > > Cheers, > WH > > > On 18 Feb 2016, at 13:13, Christian Folini <christian.fol...@netnea.com> > > wrote: > > > > Hello, > > > > We have finished the list of rule candidates for our little > > pet project. I have a working implementation under > > https://github.com/dune73/owasp-modsecurity-crs/tree/paranoia-mode > > and I think it is time to sort out the naming question > > before submitting the first pull request with the basic mechanics. > > (-> see https://www.owasp.org/index.php/OWASP_ModSec_CRS_Paranoia_Mode > > for an explanation of the 4 pull requests planned) > > > > I started out this project with the idea of an "on/off" setting. > > Hence the idea of "mode". However, it became clear we are going > > to work with a "level" ranging from 0-4 instead. So the idea of > > "mode" no longer really applies. We need to find something better. > > > > But of course, the core question is, if this should be called > > paranoia, paranoid, strict or agressive or something else. > > > > I opted for paranoia from the start and I still think it is the > > right term. However, there has been opposition and we need to find > > a solution everybody can agree with. I also think this is an > > important discussion, as it is a non-technical discussion. So > > everybody can chime in without being an expert and without running > > lengthy tests in his lab. > > > > Let me open the discussion with my reasoning why "paranoia" is the > > right term. I will then continue to discuss the other options > > and then you can respond and tell me why I am wrong and why the > > other options are much better suited.... > > > > "Paranoia" is the new normal. The more the attacks evolve and the > > more servers we configure, the more we realise, there is no real > > security without being paranoid. So while paranoia used to be > > a negative term, it is getting a more and more positive connotation; > > especially in IT security. > > Google the terms > > paranoid information security > > and you will get 2M hits. One of the top ones is > > http://www.darkreading.com/operations/the-perfect-infosec-mindset-paranoia-+-skepticism/a/d-id/1297596 > > where the author says paranoia is the standard mindset now > > (hence paranoia mode) and that you need to pair this with > > skepticism (in other words: the tuning of your ruleset). > > > > Other hits include the following titles: > > 13 Security and Privacy Tips for the Truly Paranoid > > Security for the Paranoid - SecurityFocus > > I became paranoid with computer security issues, I always ... > > The paranoid CISO | CSO Online > > Computer-Security Paranoia > > openssl - How paranoid should the average user be about ... > > > > Looking through some of these hits, I get the felling that those > > who really care about security acknowledge that they are paranoid > > and that they think that is the right attitude. > > > > I also remember reading about paranoid security settings 10-20 years ago > > and I would skip them immediately. Now, when looking at a new software > > or product, the term paranoia immediately catches my eye and I read > > about the most paranoid options first and then decide if the product is > > any good. Without paranoia options, I think it must be a happy sunshine > > hippy thing. > > > > Additionally, the term "PARANOID_MODE" is already there, even if it has > > not been in wide use in the 2.2.X series of rules: > > > > 2.2.X> grep -r -i paranoi | wc -l > > 9 > > > > The Merriam-Wester dictionary has multiple definitions for paranoia. > > One of them is: > > "a tendency on the part of an individual or group toward excessive or > > irrational suspiciousness and distrustfulness of others" > > > > I think the adjectives "excessive", "irrational" "distrustful" > > characterise our new functionality very well: When raising the level, > > you are enabling additional rules, which will cause an excessive number > > of false positives due to a general distrustful attitude towards user > > submitted input. > > > > Ideally, two years down the line, ModSecurity (Core Rules) discussion > > will run like this: > > "Man, I should install ModSecurity and the Core Rules on my server, > > but I heard false positives are going to kill me." > > "No worries, as long as you keep the paranoia setting low, false > > positives are minimal." > > > > Two weeks ago, the register ran a story about > > Rob Joyce, head of NSA's Tailored Access Operations: > > http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions/ > > The article closed with the register quoting Joyce: > > "At the end of the day it all boils down to knowing your network, > > he said, and it’s vital that IT administrators pick up their game > > and get paranoid about attacks." > > > > Well said. And the core rules paranoia feature is going to help > > with this in a controlled way without killing you with > > false positives on the first day of the installation. > > > > But let's look at the alternatives: "Strict" has been named as > > a better term. I do not like strict. It implies that the standard > > installation is not strict. Or that the default rules were not > > strict. In fact they are very strict. Every single one of them. > > It's just that they are more focused on less delicate aspects > > of the requests. > > > > So I think the term does not work as it misleads the user into > > making the wrong assumptions. You could say that running > > the CRS in anomaly scoring mode and setting a threshold of >5 > > is un-strict. But the individual rules are all strict from my > > point of view. > > > > This is even more true, as we have Ryan Barnett's proposal to > > use "aggressive". I think aggressive trumps strict as it > > sounds more like a gradual setting in my ears (both terms > > exist in German as well, so maybe these are false friends > > for me and their meaning is a wee bit different in English). > > > > So this the new featureset would allow us to adjust how aggressive the > > core rule set is. That does not sound too bad. It reminds me of a "teeth > > metaphor" is use at times. A strong ruleset has strong teeth. By tuning > > false positives, you pull a few of the teeth while keeping most of them > > in place. The level of aggression adjusting with this new setting, would > > thus add more teeth and the ruleset would thus become more aggressive. I > > guess it's not overly wrong to think of piranhas in a pond. > > > > The root of the term comes with the idea of active defense. > > It lets me thing of a strike back. Look up the term > > aggressive on The Merriam Webster dictionary. All the > > definitions point in that direction: > > http://www.merriam-webster.com/dictionary/aggressive > > Aggressive always means that you not only defend, but you attack > > as well. > > > > (paranoia is entirely different in this regard. It does not > > imply any counter strike) > > > > So I think aggressive does not entirely meet the character of the new > > functionality, which is in line with the rest of the core rules set in > > being entirely defensive. It just block attacks. It absolutely does not > > attempt to shut down the client, inject malware into the response or > > launch a DoS attack against the source IP address (which would all be > > possible with the right set of rules). > > > > And what would be the complete term? Level of Aggression or > > Level of Aggressiveness, Aggressiveness Setting? That all springs > > to mind. And that just does not sounds very cool in my ears. > > Or outrightly negative ("Level of Aggression!"). > > > > So all in all, I think we should work with paranoia. It's the best > > I can think of right now. And I thought about this a lot. > > > > But now let me hear what you think about it! > > > > Please do not take too long. My first pull request is almost > > ready, so let's come to a resolution in the next few days. > > > > Best regards, > > > > Christian > > > > > > -- > > Any technology that does not appear magical is insufficiently > > advanced. > > -- Gregory Benford > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > > -- > Walter Hop | PGP key: https://lifeforms.nl/pgp > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
