From: Jiri Baum <jirib@sweeney.cs.monash.edu.au>
Date: Tue, 17 Oct 95 20:17:05 PDT
To: vznuri@netcom.com (Vladimir Z. Nuri)
Subject: Re: proposal: "security spectrum scale" (SSS)
In-Reply-To: <199510131841.LAA17086@netcom9.netcom.com>
Message-ID: <199510180313.NAA26276@sweeney.cs.monash.edu.au>
MIME-Version: 1.0
Content-Type: text/plain


-----BEGIN PGP SIGNED MESSAGE-----

Hello,

"Vladimir Z. Nuri" <vznuri@netcom.com> wrote:

...
> to aid this serious problem, I propose the creation of a 
> UNIFIED SECURITY SPECTRUM RANKING.

Good idea - if you can pull it off. If you can't, you will create
even more confusion. That is a decision only your conscience can make.

> this would be a list of all the different types of security weaknesses
> a system can have, and their LEVEL OF SEVERITY. it would attempt to 
> rank every type of security breach possible. then, when a new
> security weakness is discovered, it could be ranked A1 or B5 or C6
...

I wouldn't use <letter><number> because that could be confused with
Orange Book security ratings. The RISKS are obvious, as they say.

...
> another idea behind the rating: it might be a sort of matrix format,
> such as "a-6-alpha" where each of the elements indicates some kind
> of independent factor. for example the "a" might mean "client side",
...

If you want multi-axis, perhaps something like the Geek code, except
standardized so that severity is apparent even if you don't remember
the letters?

(Eg in the Geek Code "+" is usually good but many people wouldn't look
well on d++ or w+++++ (conservative dress and Bill Gates resp.). You
would want "+" to always be good, for example.)

You also want it fairly short (media) - alternatively make it so that
it is possible to say (eg) "A2" or "A2+dx/g8/b*" depending on how much
detail you want (column space).

...
> I don't really consider myself the best 
> qualified in terms of experience but sometimes if you want something done, you
> have to do it yourself.

A.k.a. "cypherpunks write code".

...
> another neat perq: if the cypherpunks come up with a good scale, it
> could be a tremendous positive publicity tool. "today experts discovered
> a bug in -x- that rated a -y- on the CSSS (Cypherpunk Security Spectrum Scale)"

What's wrong with "a bug in -x- that rated -y- on the Cypherpunk Scale"?
There's already TDM TLAs (that's "too damn many three letter acronyms").


Then williams@va.arca.com (Jeff Williams) responded:
...
> Unfortunately, severity is a question of perspective.  In some
> environments, an operating system crash could be considered catastrophic.
> In others, it just means reboot and continue.  I'm not a policy wonk,
> but security is relative to what you care about.

That doesn't rule out a scale: it merely changes how you perceive the
scale.

An earthquake 3.6 on the Richter scale would be no problem if you are
playing poker, say, but "catastrophic" if you are playing mikado.

It also depends on the "Operating System" (building) you are in.

> > to aid this serious problem, I propose the creation of a 
> > UNIFIED SECURITY SPECTRUM RANKING.
> 
> There already was a USSR, but I think it ultimately failed :-}

I wouldn't exactly say Soyuz failed; I'd say the main problem was that
they got a leader with a conscience... And you can't have a totalitarian
dictator with a conscience (as you can see).

...
> > bug that was recently discovered (say, the recent netscape bugs)
> > was, say, not really as potentially severe as the Morris worm.
> 
> To whom?

I would suspect the best answer is "to the general public" or "to the
average user".

If you are not an average user, you reinterpret the rankings to your
liking, making sure that you get more information on those that are
potentially severe to you. It'll still help you by giving you a 
preliminary ranking.

...
> The only way to unify security rankings is to constrain the problem by
> assuming an environment and intended uses for the system.  It sounds
> like you are assuming a low assurance workstation with an internet
> connection which is used for non-critical home or business purposes.

No, that is not necessary. Just like you can say an earthquake measures
3.6 on the Richter scale without making any statements about whether
or not it is "severe".

...
> Any flaw rating system needs to consider how it will deal with advancing
> protection technology.  For example, susceptability to viruses is much less
...

Not really, you don't need to change the Richter scale just because
buildings have got more solid. The perception of the scale needs to
change, but not the scale itself.

> Also, how do you rate situations where flaws are combined to mount an attack?
...

Then you are asking not for a rating of individual bugs, but overall
bugginess of a product. That can be rated on the same scale or a different
one, but it is a different question.

("A bug discovered in -x- rating -y-, raising the overall bugginess
or -x- to -z-. Film at 10.9959268374")

Then "Vladimir Z. Nuri" <vznuri@netcom.com> responded:
...
> the security rating would not be particularly useful to security experts,
> other than giving a rough idea of the potential severity of the problem.
...

Yup, or if you have long and short versions the long could actually
contain some more useful info.

...
> if something is not done to help convey accurate information,
> a void occurs and potentially "urban myths" 
> such as "the internet steals your credit cards" would tend to 
...

Do we *mind*? "The internet steals your credit cards - download Magic
Money!" :-)


OK, I guess we do mind.

Jiri
- --
If you want an answer, please mail to <jirib@cs.monash.edu.au>.
On sweeney, I may delete without reading!
PGP 463A14D5 (but it's at home so it'll take a day or two)
PGP EF0607F9 (but it's at uni so don't rely on it too much)

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBMIRw5SxV6mvvBgf5AQF/iQQAory7PrJ2sJ1FXSOmXbwju5UHGbOjIMJV
CxWD7yPdAooz7ou8JImjky2c558YRxuY+cEXyCvOkTUzgtHwrwCY4IYI/U6e44fw
a9En7faSYG5eqOldpeSyuGqbC8DqEhuHAZiReFUHAduZw+fy7Oq9XNbWGZe20ZEN
I4Hsw6AvvRA=
=WTgn
-----END PGP SIGNATURE-----