| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: pauls at utdallas.edu (Schmehl, Paul L) Subject: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) -----Original Message----- From: phc@...hmail.com [mailto:phc@...hmail.com] Sent: Friday, November 22, 2002 6:28 PM To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) [PHC] Paul, Your network will never be secure. [paul] This is a given. [PHC] People seem to think Attack Windows -- a term coined by the same class of people who brought you the Nop Sled (tm) -- exist between public vulnerability disclosure and public patch release. This is untrue; Attack Windows exist from public vulnerability disclosure right back into the long forgotten past. Example: if in 2010 a vulnerability is publicly disclosed in a widely used program that has been used for 20 years, then every box on the planet using that program has been at risk for 20 years, and not merely the week or so between public announcement and public fix. In retrospect, the security industry accomplished nothing in 20 years, except stuffing their pockets with cash and generating a false sense of security. [paul] Agreed, as to the first part, but your conclusion doesn't follow. They may have accomplished nothing WRT that one weakness. That says nothing about other weaknesses they may have exposed and which got fixed as a result. Do you *really* expect intelligent people to believe that the "Trustworthy Computing" initiative that Microsoft has undertaken would have *ever* happened without the steady stream of embarrassing disclosures, culminating in the awful buffer overflow in UPnP, that led up to that announcement? Frankly, that stretches credulity to the breaking point! If the security industry wasn't constantly exposing Microsoft's warts, there would be no "Trustworthy Computing" initiative, there would be no security department at Microsoft, there would be no security bulletins, there would be no "hotfixes". You cannot honestly believe that, in the face of Microsoft's awful security record, that silence would be the correct behavior! [PHC] Insecurity will be perpetual. As democow said, blackhats will always be able to compromise you. Scriptkids will not be able to compromise you if you always manage to win the scriptkid-admin race that occurs when a new bug is disclosed on a security mailing list. However, not all admins will be so lucky. The security industry in this manner has increased not only the number of attackers exponentially, but the threat to the Internet at large. This is a cycle that can stop, but it won't happen while the security industry can make money on it. They need figures and statistics to market their flimsy products. They need visible threats to justify their existence. They need widespread defacements and system compromises. [paul] And the alternative is? Assume for a moment that everything you've said so far is correct. Assume further that there is no security industry to "blow the whistle". Then this is the situation: all systems are insecure by default and will always be insecure, and the holes are only known by a select few, the so-called blackhats. What options do the network admins have then? I submit they have none. Each time a system is compromised, the admin then either has to learn enough programming to be able to *correctly* understand the source of the problem (assuming he has access to the source) *or* demand that the vendor fix the problem that allowed the breakin. But the admin has no leverage with the vendor. He's already paid for the software. He has no contract with the vendor to protect him. Even if he can motivate the vendor to fix the problem, it's probably going to be in a new release, not in the existing one (because then the vendor would have to announce the problem to all his customers.) Furthermore, that admin has an ethical obligation to let other users know about the weakness. Otherwise he is culpable in their future breakins. [PHC] In the SecurityFocus article, _Full disclosure is a necessary evil_, Elias Levy agrees that full disclosure brings more short-term insecurity than non-disclosure does. So it's not only the 'blackhats' who see this. However, Levy qualifies this short-term insecurity as a "necessary evil" to effect long-term security. Just HOW long-term is a matter of conjecture, but based on the security industry's own tenet that "no software, system, or network can be totally secure," we don't ever see the final destination being reached by the security industry. Instead, we see them as the purveyors of lies and broken promises who will never be able to deliver what they're paid for. This holds true even for the 5% of 'programmer-phrack-magazine-esque' security professionals Who Have A Clue. The crazy thing is that it's their inability to deliver the goods that keeps them in business. While they rake in large amounts of cash and fail miserably at their self-appointed task, their failures succeed in convincing the gullible that they're still needed. [paul] You can't have your cake and eat it too. If, as you say, there will never be anything like total security in software, then you can't also accuse the security industry of having failed in their mission, simply because the forgone conclusion has been reached. Under the conditions which you describe, success can never be reached. However, if the security industry has helped close one single hole, then they have succeeded more than if they had done nothing, which is what you're advocating. Furthermore, you cannot accuse the security industry of failing because the software vendors have failed to program securely. The security industry's job is to reveal the problem and suggest solutions. They cannot force the vendor's to fix the problem. [PHC] There was a Vuln-Dev thread on Alan Turing's "Halting Problem" (we remember this thread because it was probably the only educated thread ever to appear on Vuln-Dev, not to mention a brilliant battle of wits between Lcamtuf-the-Brain and Mixter-the-Fucking-Narc) that brought the identification of security holes in software under the light of elementary discrete mathematics. This added to the tenet mentioned above. We mention this to reiterate what we said in Sermon #2 about all disciplines of study being applicable in some way, however slight, to the problem we seek to change. See, even a math nerd can help us. [paul] Try to understand the problem from the viewpoint of a network admin. Most could care less about the philsophical debates that surround these issues. Most don't want to learn to program, more than what is necessary to automate routine tasks. They don't want to master multiple disciplines *in addition to* their chosen profesion, and they don't want to have to deal with breakins on top of all the other problems that come with trying to network heterogeneous systems and protocols so that users can seamlessly access what they want and need to access. What you are advocating is that they simply "deal with it", rather than offering any solutions to the problem. [PHC] In summary, the security industry is reaping large sums of money for doing absolutely nothing for Internet security. [paul] You can't make this leap of logic from the evidence that you've presented. You claim that it's impossible to completely secure software systems. Then you accuse the security industry of having failed because they haven't completely secured those systems. And if the security industry has caused the "Trustworth Computing" intiative to come to pass, then you certainly can't accuse them of "doing absolutely nothing". [snipped the irrelevant political diatribe] [PHC] We can churn out sermon after sermon, but it will do little good if nobody gives a damn. We're not fools to believe all this talk will do anything great. If you see what we are fighting for, then PLEASE contribute Stuff to the cause, where Stuff can be textfiles, graphics, old AntiSec posts, ideas, constructive criticism, whatever. [paul] What I see you preaching for is for my network to remain vulnerable and compromised forever. That's not a goal I would work for. So why should I assist you in yours? [PHC] And if you call anything that moves a "scriptkid" or a "lamer," for fuck's sake, do not bother replying to this. [paul] No, I call people who break in to other people's computers jerks. I really could care less what motivates them to do it. Paul Schmehl (pauls@...allas.edu) TCS Department Coordinator University of Texas at Dallas http://www.utdallas.edu/~pauls/
Powered by blists - more mailing lists