[Discussion] toward what goal?

• Previous message (by thread): [Discussion] toward what goal?
• Next message (by thread): [Discussion] What are we making?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jack Pepper wrote:
> Here's a strange idea:
>    Rather than deciding how to build it or what to build, try to  
> figure out what you would want to do with it.  Otherwise you may end  
> up building something which is totally, *totally* cool, but has no  
> practical application (ala gnu/hurd).

Very good point. Personally, I want a way to use all of the information
we know about bad things. I want it to work well without having to read
3 books about it to configure it well, and give me actionable stuff and
keep the rest to itself.

What else can we add to that?

Matt

>    so here's my theoretical brain exercise:
>      "If the " +
>      [ insert your choice of constituency here, as in CIO / Network  
> Admin / Switch Vendor / Defence Department ] +
>      "had perfect visibility into the activities of " +
>      [ insert sensor medium here, as in Network Traffic, server or  
> firewall Event Logs, Network solutions' invoicing system, Paris  
> hilton's Cell Phone ] +
>      "with an AI engine and associated toolkit for data drilling and  
> correlation, what defensive or offensive actions could they take that  
> are not currently feasible or practicable?"
> 
> When this is clear in our minds, we will know better what to build.   
> If you just want to build a better Snort, that sounds quite pointless,  
> given that snort has evolved already to become the best packet content  
> scanner on the market.  All the downsides of snort involve the input,  
> output, actionable outputs, reporting actions, rule parsing  
> limitations, limitations of the host OS, problems with PCI adapter  
> limitations, DMA speeds, PCI-x limitations, etc, etc.  The core engine  
> and architecture are very nicely adapted (as in evolution/natural  
> selection) to the task at hand.
> 
> To be truly revolutionary (relative to current technologies) the  
> problem needs to be narrowed toward some action we wish to take that  
> is not currently possible or reasonable.  consider:
>    1962: single goal of high altitude observation built the YF12/SR71
>    1969: single goal of highly survivable communications built the DarpaNet
>    1978: single goal of radar evasion built the F117/B2
> (those three lines should trigger an off-topic flame war, I didn't go  
> look up the dates, I'm just working from an old guy's memory)
> 
> To be worthy of the challenge, the team goal needs to be highly  
> focused.  then it will be possible to achieve great things.  what is  
> the goal?  what is the point?
> 
> we all know how to build a mega-snort box, but no one does it because  
> there is no reason to do it.  Can't sell it, no one would buy it,  
> don't really need it, and don't have $200,000 just lying about.   
> Mega-snort doesn't really get us very far toward the goal.
> 
> My 2c.
> 
> jp
> 
> ----------------------------------------------------------------
> @fferent Security Labs:  Isolate/Insulate/Innovate  
> http://www.afferentsecurity.com
> 
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

• Previous message (by thread): [Discussion] toward what goal?
• Next message (by thread): [Discussion] What are we making?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]