Crispin Cowan wrote: > I participated in that Lincoln Labs study, and my recollection is > that the remote/local distinction was already popular on bugtraq at > the time. I was working on that project, and Dr. Cowan's recollection matches mine. Talks of "local" and "remote" were already in use somewhat on Bugtraq, although I don't think they had yet become universal. (I'd like to claim that the Lincoln studies helped push use of those terms along, but the concepts are so simple and elegant that their universal use was inevitable.) One of the mental models involved in those 1998 classifications of attacks was a "presence" of an attacker -- is the attacker outside your network, on your network, or on your machine as a non-privileged user? This model doesn't necessarily fit in well with some of today's most common attacks, as was mentioned when this thread started. It's not that trojan horses (whether you interpret that to mean just hostile applications, or hostile data run by vulnerable applications) weren't known about in 1998. It's that those attacks weren't considered all that important when compared to things that were more common at the time -- smurf attacks, pings of death, Sendmail buffer overflows, SYN queue starvation. I've seen a lot of classification schemes proposed on Bugtraq in the intervening years, some of them quite good. (Search the archives for "taxonomy" or "classification".) But unless they are -very- simple to use, they won't be taken up by the community. If you can come up with a single word that imputes the concept of "malicious data that I can easily get onto the victim's machine and in front of the victim's eyes but requires him to run it," that would be a great step forward. Simplicity is key. (Unlike this posting, which I did not have time to make shorter and simpler.)
