[langsec-discuss] lastpass hax - I think this is langsec
Falcon Darkstar Momot
falcon at iridiumlinux.org
Wed Jul 27 21:35:17 UTC 2016
The usual framework is to use quantitative risk analysis and calculate
exposure factor (the amount that will be lost in an attack, up to the
value of the asset) separately from the (annualized) rate of
occurrence. It would be interesting to see someone actually document
the relationship between target value and rate of occurrence, but most
of the material about quantitative risk analysis in the context of
information assurance has been complete handwaving, or else too
complicated for anyone to actually use in practice, but existing
frameworks look a little like doi:10.1016/j.cose.2010.02.002
<http://dx.doi.org/10.1016/j.cose.2010.02.002>: a lengthy list of
essentially unknowable contingent probabilities based on incomplete
Thinking about QRA I'd have to say that the desirability of a target for
an attacker must factor into the periodic rate of occurrence, but I
don't actually know anyone who is doing that as an established,
documented practice (alas). I think this remains an unsolved problem.
How would you quantify the valence of lulz? Attackers aren't uniform in
their goals either, and external events can affect valence. Lastpass is
interesting because it seems to be useful to basically any attacker, but
this is true of surprisingly few targets. Maybe that is a good place to
In a QRA framework, competent coding serves mainly to reduce the rate of
occurrence of attacks.
On 2016-07-27 12:41, David Fetter wrote:
> On Wed, Jul 27, 2016 at 09:57:14AM -0700, travis+ml-langsec at subspacefield.org wrote:
>> Something about FSRs and parsing.
> This brings up something that isn't actually in the realm of langsec,
> but since it came up here, I'll set out a few thoughts here.
> Even given supremely competent coding, which is not in evidence in
> lastpass, does the act of creating a target with that high a value
> /ipso facto/ make it more likely to be attacked successfully? There's
> some game theory and non-equilibrium economics here that I'm really
> not competent to address.
> Are there any formal ways to address such questions? Obviously,
> they're not strictly langsec, but since I'm such a n00b at matters
> security, I just don't know even what keywords to start my search
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the langsec-discuss