-----BEGIN PGP SIGNED MESSAGE----- Hello, "Vladimir Z. Nuri" <vznuri@netcom.com> wrote: ...
to aid this serious problem, I propose the creation of a UNIFIED SECURITY SPECTRUM RANKING.
Good idea - if you can pull it off. If you can't, you will create even more confusion. That is a decision only your conscience can make.
this would be a list of all the different types of security weaknesses a system can have, and their LEVEL OF SEVERITY. it would attempt to rank every type of security breach possible. then, when a new security weakness is discovered, it could be ranked A1 or B5 or C6 ...
I wouldn't use <letter><number> because that could be confused with Orange Book security ratings. The RISKS are obvious, as they say. ...
another idea behind the rating: it might be a sort of matrix format, such as "a-6-alpha" where each of the elements indicates some kind of independent factor. for example the "a" might mean "client side", ...
If you want multi-axis, perhaps something like the Geek code, except standardized so that severity is apparent even if you don't remember the letters? (Eg in the Geek Code "+" is usually good but many people wouldn't look well on d++ or w+++++ (conservative dress and Bill Gates resp.). You would want "+" to always be good, for example.) You also want it fairly short (media) - alternatively make it so that it is possible to say (eg) "A2" or "A2+dx/g8/b*" depending on how much detail you want (column space). ...
I don't really consider myself the best qualified in terms of experience but sometimes if you want something done, you have to do it yourself.
A.k.a. "cypherpunks write code". ...
another neat perq: if the cypherpunks come up with a good scale, it could be a tremendous positive publicity tool. "today experts discovered a bug in -x- that rated a -y- on the CSSS (Cypherpunk Security Spectrum Scale)"
What's wrong with "a bug in -x- that rated -y- on the Cypherpunk Scale"? There's already TDM TLAs (that's "too damn many three letter acronyms"). Then williams@va.arca.com (Jeff Williams) responded: ...
Unfortunately, severity is a question of perspective. In some environments, an operating system crash could be considered catastrophic. In others, it just means reboot and continue. I'm not a policy wonk, but security is relative to what you care about.
That doesn't rule out a scale: it merely changes how you perceive the scale. An earthquake 3.6 on the Richter scale would be no problem if you are playing poker, say, but "catastrophic" if you are playing mikado. It also depends on the "Operating System" (building) you are in.
to aid this serious problem, I propose the creation of a UNIFIED SECURITY SPECTRUM RANKING.
There already was a USSR, but I think it ultimately failed :-}
I wouldn't exactly say Soyuz failed; I'd say the main problem was that they got a leader with a conscience... And you can't have a totalitarian dictator with a conscience (as you can see). ...
bug that was recently discovered (say, the recent netscape bugs) was, say, not really as potentially severe as the Morris worm.
To whom?
I would suspect the best answer is "to the general public" or "to the average user". If you are not an average user, you reinterpret the rankings to your liking, making sure that you get more information on those that are potentially severe to you. It'll still help you by giving you a preliminary ranking. ...
The only way to unify security rankings is to constrain the problem by assuming an environment and intended uses for the system. It sounds like you are assuming a low assurance workstation with an internet connection which is used for non-critical home or business purposes.
No, that is not necessary. Just like you can say an earthquake measures 3.6 on the Richter scale without making any statements about whether or not it is "severe". ...
Any flaw rating system needs to consider how it will deal with advancing protection technology. For example, susceptability to viruses is much less ...
Not really, you don't need to change the Richter scale just because buildings have got more solid. The perception of the scale needs to change, but not the scale itself.
Also, how do you rate situations where flaws are combined to mount an attack? ...
Then you are asking not for a rating of individual bugs, but overall bugginess of a product. That can be rated on the same scale or a different one, but it is a different question. ("A bug discovered in -x- rating -y-, raising the overall bugginess or -x- to -z-. Film at 10.9959268374") Then "Vladimir Z. Nuri" <vznuri@netcom.com> responded: ...
the security rating would not be particularly useful to security experts, other than giving a rough idea of the potential severity of the problem. ...
Yup, or if you have long and short versions the long could actually contain some more useful info. ...
if something is not done to help convey accurate information, a void occurs and potentially "urban myths" such as "the internet steals your credit cards" would tend to ...
Do we *mind*? "The internet steals your credit cards - download Magic Money!" :-) OK, I guess we do mind. Jiri - -- If you want an answer, please mail to <jirib@cs.monash.edu.au>. On sweeney, I may delete without reading! PGP 463A14D5 (but it's at home so it'll take a day or two) PGP EF0607F9 (but it's at uni so don't rely on it too much) -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMIRw5SxV6mvvBgf5AQF/iQQAory7PrJ2sJ1FXSOmXbwju5UHGbOjIMJV CxWD7yPdAooz7ou8JImjky2c558YRxuY+cEXyCvOkTUzgtHwrwCY4IYI/U6e44fw a9En7faSYG5eqOldpeSyuGqbC8DqEhuHAZiReFUHAduZw+fy7Oq9XNbWGZe20ZEN I4Hsw6AvvRA= =WTgn -----END PGP SIGNATURE-----