Linked by David Adams on Tue 28th Jun 2011 15:35 UTC, submitted by HAL2001
Privacy, Security, Encryption In an unexpected move for a security company, SecurEnvoy today said that cyber break-ins and advanced malware incidents, such as the recent DDoS attack by LulzSec, should actually be welcomed and their initiators applauded. The company's CTO Andy Kemshall said: "I firmly believe that the media attention LulzSec’s DDoS attack has recently received is deserving. It’s thanks to these guys, who’re exposing the blase attitudes of government and businesses without any personal financial gain, that will make a difference in the long term to the security being put in place to protect our own personal data!"
Thread beginning with comment 479029
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Comment by MORB
by Neolander on Wed 29th Jun 2011 07:39 UTC in reply to "RE[3]: Comment by MORB"
Neolander
Member since:
2010-03-08

It's certainly not the same, but if there's a way to take a server down with a small amount of organization/friends, due to the way the software running on this server works, it's another form of security vulnerability.

Reply Parent Score: 1

RE[5]: Comment by MORB
by Alfman on Wed 29th Jun 2011 12:45 in reply to "RE[4]: Comment by MORB"
Alfman Member since:
2011-01-28

Neolander,

"It's certainly not the same, but if there's a way to take a server down with a small amount of organization/friends, due to the way the software running on this server works, it's another form of security vulnerability."

This speaks to unscalable designs and systems, however a company can find itself in a situation where systems can handle the legitimate load of X customers, but not X + Y attackers. I'm uncomfortable with the conclusion that a company out to design the infrastructure to handle X customers + Y attacks.


Edit: Although, what choice is there?

Edited 2011-06-29 12:53 UTC

Reply Parent Score: 2

RE[5]: Comment by MORB
by Soulbender on Wed 29th Jun 2011 14:58 in reply to "RE[4]: Comment by MORB"
Soulbender Member since:
2005-08-18

Availability != security.
The fact that a site wasn't designed to withstand a DDoS does not mean it suffers from a security problem and neither is inefficient code a security problem.
It's usually not feasible to start out with a site and infrastructure designed to handle the volume of YouTube or Facebook or a DDoS.
Deploy now, get customers and worry about scalability when the need arises. Even a DDoS once or twice is not a cause for concern unless it has a major impact on your bottom line and/or is caused by a security problem.
Some wise guy said something about premature optimization a long time ago and it's still true.

Reply Parent Score: 2

RE[6]: Comment by MORB
by Alfman on Wed 29th Jun 2011 15:52 in reply to "RE[5]: Comment by MORB"
Alfman Member since:
2011-01-28

Soulbender,

"Some wise guy said something about premature optimization a long time ago and it's still true."

I agreed with you up until this point. Too many people in CS use the quote above to justify designs with very poor scalability. Never forget that the quote was from the 1970s when the inefficiency typical of computing today was not yet conceivable. I'm afraid if modern day CS developers were sent back in time to work with Knuth, the quote you'd be reading would be quite different.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06

I'd suggest that DDoS vulnerability is indeed a security issue. Security is not just concerned with protecting the information in that one box. It is also concerned with protecting the system resources for legitimate use. A denial of service removes resources from legitimate users.

If your network gets flooded out by packets, you have a security mechanism failing to filter packets properly.

If your software gets crashed into a denial of service condition, you have an exploitable vulnerability in the code that needs to be addressed.

If your website takes down your webserver due to resource exhaustion through a designed website function, you have site code that needs to be addressed.

The information systems are a business resource that need to be protected in addition to the information those systems house. Denial of service demonstrates an exploitable flaw in the security of those systems.

Reply Parent Score: 2