tag:blogger.com,1999:blog-13756280.post5450751588589226006..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: History Repeating ItselfJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-13756280.post-359766748677920922008-12-22T09:04:00.000-08:002008-12-22T09:04:00.000-08:00@inuk-x, thanks for the kind words. Some of the ha...@inuk-x, thanks for the kind words. Some of the hacking events could have gone either way as they contained my biased. It was a fun bit of research to think, where was I when X happened. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89322144345820118462008-12-19T19:47:00.000-08:002008-12-19T19:47:00.000-08:00Jeremiah,This was an excellent post and I really e...Jeremiah,<BR/><BR/>This was an excellent post and I really enjoyed reviewing the timeline and recalling the projects that I was working on during each particular year.<BR/><BR/>I find it interesting that you categorized the Mass SQL Injection attacks under software security as I would have likely categorized it as a network security event as the actual attacks are still carried out on the network.testhttps://www.blogger.com/profile/17843773704349620940noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-38174978254136469912008-12-19T10:09:00.000-08:002008-12-19T10:09:00.000-08:00@Christian, thanks for the feedback and I did enjo...@Christian, thanks for the feedback and I did enjoy they quote. Got another one for ya that seems particularly applicable...<BR/><BR/>“When you know nothing, permit-all is the only option. When you know something, default-permit is what you can and should do. When you know everything, default-deny becomes possible, and only then.”<BR/><BR/>- Economics and Strategies of Data Security", by Dr. Dan Geer.<BR/><BR/>I see WAFs going down this road. First permit-all, default-permit (blacklist, w/ some whitelisting), and finally if we are very luck on some applications, we'll be able to do full whitelisting.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-62549489566994082192008-12-18T22:54:00.000-08:002008-12-18T22:54:00.000-08:00I would not bet too much on the repeating nature o...I would not bet too much on the repeating nature of history. Usually it is much more complicated (and interesting) than pure repetition. Call it the professional scepticism of a historian.<BR/><BR/>However, I fell in love with the following quote by Mark Twain:<BR/><BR/>History doesn't repeat itself, but it does rhyme.<BR/><BR/>Other than that: nice blog post. <BR/><BR/>Personally, I believe that the trend goes in direction of whitelisting on the WAF. And rather not in autolearning mode, or do you have a network firewall that does autolearning? But maybe I am falling for the repetition idea myself here.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-59900272619734847002008-12-18T12:45:00.000-08:002008-12-18T12:45:00.000-08:00Thanks Rafal and yes, please go forth and publish ...Thanks Rafal and yes, please go forth and publish cool stuff. Its interesting to see how events create the need for solutions, which in turn cause follow on problems, highlighting the need for more. :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-43664944764676879712008-12-18T12:42:00.000-08:002008-12-18T12:42:00.000-08:00@Jeremiah: Great time-line, made me think a littl...@Jeremiah:<BR/> Great time-line, made me think a little though (which is often quite dangerous this close to vacation); it took us *forever* to figure out network security was an "Internet-wide" problem. When I first started deploying firewalls and preaching about ACLs back in 1996/1997 I noticed that there were several steps people went through:<BR/>1. Dismissal<BR/>2. Apathy<BR/>3. Disbelief<BR/>4. Limited Comprehension<BR/>5. Acknowledgment<BR/>6. Standardization<BR/>7. Apathy<BR/><BR/> Ironically, but not surprisingly, I have a paper I was writing that's been back-burner'd that details the 7 steps that have been the reaction of the general populous to any of the security concerns over the past whether it be network security, system security, and now web application security. It may be time to dust off that notebook and finish that paper huh?<BR/><BR/> Thanks for bringing this to front-of mind... invaluable and I'm sure it'll be referenced many, many times.Rafal Loshttps://www.blogger.com/profile/18106347834259269413noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-38540889627691251592008-12-18T07:58:00.000-08:002008-12-18T07:58:00.000-08:00*rolls*eyes**rolls*eyes*drehttps://www.blogger.com/profile/17414510788948258195noreply@blogger.com