[32137] in bugtraq
Re: "Local" and "Remote" considered insufficient
daemon@ATHENA.MIT.EDU (Ejovi Nuwere)
Thu Oct 23 12:58:49 2003
Message-ID: <3F974E83.9050509@ejovi.net>
Date: Wed, 22 Oct 2003 23:44:03 -0400
From: Ejovi Nuwere <ejovi@ejovi.net>
MIME-Version: 1.0
To: "Steven M. Christey" <coley@mitre.org>
Cc: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
In-Reply-To: <200310222039.h9MKdtD3026312@linus.mitre.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Steve,
To summarize a vurnerability in one line is always difficult, more so
when you are writting in a language other then your native tongue. Your
ideas might help eleviate some of those troubles but not the core, in
addition to language issues, most security researchers are simply poor
writers. All of the complexities you detailed are very real, that is why
there needs to be a simplified terminology.
While Local and Remote alone are clearly not enough, Local, Remote,
Remote Level 1, Remote Beta and Remote Delta will not help either.
The idea of Local, Remote, and Remote Authenticated sounds nice and I
would love to see more researchers adhere to this phrasing or something
similar to the risk catagories vurnerability scanners use. Low, Medium
and High, three classifications, then let the end user sort them out.
Now only if we knew someone at MITRE that could make this happen...
ejovi
> So, to echo Florian's comments, "local" and "remote" is not sufficient
> in fully evaluating the severity of a vulnerability in a particular
> environment.
>
> - Steve
>
> P.S. Credits to Adam Shostack and Scott Blake for initially educating
> me about the role of authentication in "local" vs. "remote"
> terminology.
>
