Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Buttons840 4 days ago

DDoS is not valid security research, it's just destruction.

Also, we need to clarify the scenario because you said:

> the likelihood of exploit is low

but you also mention the need to stop people "accidentally" exploiting the system, so which is it?

A system that can be accidentally broken by bumbling idiots does not deserve protection IMO.

4 days ago | parent | next [-]
[deleted]
kube-system 4 days ago | parent | prev [-]

> DDoS is not valid security research, it's just destruction.

I didn't say anything about DDoS in my comment. DoS is a term referring to a loss of availability. Availability is one of the three fundamental parts to the CIA triad, so yes, it is absolutely something security researchers evaluate.

> Also, we need to clarify the scenario because you said:

> the likelihood of exploit is low

> but you also mention the need to stop people "accidentally" exploiting the system, so which is it?

I said "accidentally doing harm". For a real world exploit to happen, you have to have a couple of different things align. First, you need a vulnerability. Second, you need some way that somebody could exploit that vulnerability. Third, you need a reason that somebody's going to do it. A vulnerability simply existing isn't enough to make it a problem.

Now, in an academic lab environment, most people don't really care about the likelihood of exploit or the motivations of an attacker. Because the point is academic computer science.

But the people who secure systems in the real world have to care about the likelihood of exploitations in the motivations of their attackers. Because it's not possible to secure everything in a production environment, where you also have to ensure the availability of the system and the usability of the system to your stakeholders. You always have to make a compromise between the two.

So, in the real world: the locality of the attacker, the legal environment, and the impact of the exploit all play very significant roles in how someone might weigh a significance of an exploit.

To make up a contrived example:

Let's say that all I have to do to cancel electricity service, create an online account using the information from a power bill, and press the cancel button. There's an obvious exploit here. I could dig through my neighbor's trash, get a copy of their bill, create an account, and shut off their power.

Do we wanna legalize this activity? No, I don't think so. Are we at risk of a nation state exploiting this? No, probably not because they don't have access to everyone's trash everywhere. Also, you couldn't really do this at scale because it would be obviously not intended. Should we require more authentication just to say we've plugged the hole? Also, probably not. Electricity service has to be accessible to people. We can't require onerous authentication, when many of the customers may be elderly, disabled, etc. Instead, we as a society solve this problem by making this activity a crime. In this works just fine, because anyone who has physical access is already in that legal jurisdiction as well.

I'm sure you can imagine dozens of other similar scenarios. The point is that information security is a lot more complicated than just adding authentication to a webpage. Information security isn't a technology problem. It's a people using technology problem.

I don't think we want to legalize activity similar to what is in my above scenario. That's the kind of situation where people may be accidentally causing harm that they wouldn't be doing now, because they would go to jail. But if you legalize it, people are going to do it in an attempt to monetize it.