Re: Firewall security: Re: Problems with simple Samba file share

From: Peter T. Breuer (ptb_at_lab.it.uc3m.es)
Date: 05/09/05 

Date: Mon, 9 May 2005 07:53:05 +0200

Tony Lawrence <foo@pcunix.com> wrote:
> Peter T. Breuer wrote:
> > It ignores the probabilities, hence is naive. I showed you (via
> > stochastic argument) that the situation is stochastically negligible -
> > if the exploit is not generally used then it is improbable that you
> > will experience it.

> You are basing this on cost/beneft then.

Well, I was arguing using probability, not expectation (risk), but
"yes". Probability is risk "without taking into account a varying damage
estimate". And yes, this is precisely how one evaluates security.

> If the risk is negligible,
> there's no reason to take any action.

Exactly. One constructs the attack/defense tree, assigns prbabilities
and damage valuations to it, and constructs the expected loss.

> Actually, security is much more closely related to insurance.

That's risk.

> As an
> instance of that, I can say that I've lived in this town for 57 years,
> and during that time I believe there have been two house fires.

So assuming that there are 2000 houses in town, the probability of a
house fire is 2/2000/57 or 1:57000 per year. Assuming that the average
damage is about $50K, you expect to pay just under $1 per year in
insurance. Any more than that you pay is profit to the insurance
company.

> Neither
> were my home. I'd say the risk of my house burning down is pretty
> small. Yet, I carry insurance for that. Why bother?

Well, because it's legally required. I assume. From your point of view,
any long odds bet is a win, since you can't do enough experiements to
make it into a statistic. You should always bet at long odds - you may
get "lucky" once in a lifetime. If not, so what? You're dead.

> Because although
> the chance of it happening may be small, it would be disastrous for me,
> so I'm willing to pay the premium every year.

> Same with adding a firewall for additional protection. The risk may be
> small, but the cost to me would be high, so I'll make the small investment.

Ahhh ... so you think there is a cost. Only effort. No - the cost is
mre subtle: it's the attitude that you don't control what's going on in
your box, and need to control it at the IP level becuase you can't do it
at the application level.

Try controlling it - it's simple. You don't need a firewall to
establish your control.

Peter

Relevant Pages

  • Re: Barack Obama Pits Space Explorers Against School Children
    ... control Iran and control al-Qaeda? ... There are lies associated with terror too. ... United States or some other major power. ... increase the existential risk, not reduce it. ...
    (sci.space.policy)
  • Re: Super fast assembly and launch...
    ... that shows total disregard for safe operating procedure. ... This is the way moronic clubs ... There is risk inherent in everything we do - One assumes they did this with an airframe they had checked very carefully, and then practised getting it right, many times. ... As an exercise - consider whether there really was no control check. ...
    (rec.aviation.soaring)
  • Re: More power to the police in high speed pursuit
    ... control by the authorities for all. ... It puts the officer's life at risk ... There are two forms of speed limits. ... broken a law, hopefully a deterrent to further disobedience. ...
    (rec.autos.makers.ford.mustang)
  • Re: Purrs for Yoda
    ... The vet didn't ask me for a choice, ... the anesthesia risk and method. ... the biggest risk control is to leave him "under" for the shortest ... mentioned pain control *prior* to surgery ...
    (rec.pets.cats.anecdotes)
  • Re: Firewall security: Re: Problems with simple Samba file share
    ... Peter T. Breuer wrote: ... security is much more closely related to insurance. ... and during that time I believe there have been two house fires. ... I'd say the risk of my house burning down is pretty ...
    (comp.os.linux.misc)