[Techtalk] Theory vs. practice

Julie jockgrrl at austin.rr.com
Mon Jan 14 02:12:53 EST 2002 

"Raven, corporate courtesan" wrote:
> 
> Heya --
> 
> Quoth Julie (Fri, Jan 11, 2002 at 07:54:13PM -0600):
> > Security is fun stuff.  Are people more interested in the "theory"
> > part of security or the "I wanna keep the hackers out of my box"
> > part?  My forte' is more towards the theory end and less towards
> > the practical end.
> 
>         It's about a 50/50 split for me.  I vastly prefer understanding
> what I'm doing and why, so I need a good theoretical backing.  But I
> retain information much better if I put it into practice. It doesn't
> seem to matter which one's first; I get the same "Oooooh, *that's* how
> it works" either way.

A lot of what's out there today in terms of "practice" has very
little to do with formal security theory and more to do with really
bad coding.  For example, most of the security problems we see are
coding errors -- buffer overflows, parameter checking, software
races, and the like.  Theory is more oriented towards "What is the
security policy of the system and how do I know it is the right
one?"

>         If I have the luxury of time, usually the theory comes first.
> I'm a fan of reading the docs before I try something.  But sometimes
> it's "Ooop, need a firewall now, what's that ipchains option?" and I'll
> read up on it later.

Yup, sounds like the classic case of "Always time to do it over,
but never time to do it right".

We built firewall functionality into the C2 evaluation I led for
AIX 4.3.1 a few years back.  The ability to control access to
service ports based on the UID of the requesting process on the
client was critical to some of the security assertions we were
making, so you can imagine we spent a =lot= of time making sure
the packet filters worked properly.

Firewalls are cool.  Sometimes when my son refuses to get off
the computer and do his homework or clean up his messes in the
den I threaten to firewall the computer in his bedroom.  It
wouldn't work, though -- he'd just move to another computer in
the house and the next thing I know I'd have to just unplug the
cable modem ...
-- 
Julianne Frances Haugh             Life is either a daring adventure
jockgrrl at austin.rr.com                 or nothing at all.
					    -- Helen Keller

More information about the Techtalk mailing list