lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: secresearcher at hushmail.com (secresearcher@...hmail.com)
Subject: A Few Realities About Security Re: Microsoft Cries Wolf ( again )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reality. I have a critical vulnerability with Microsoft right now. Only
their people and myself - and a few other researchers at my company -
 know about it. This affects every Windows OS across the board. You can
be with the US government... or with Saudi Arabia's government -- if
you use Windows, I can hack your system.

Microsoft should give me a badge saying, "This man has the right to know
about a backdoor in Window's OS bigger than what the NSA could ever hope
to have." They should put on the front page of their website my picture,
 saying, "While we fix this bug, this man knows how to get into your
systems."

But, nobody ever thinks about this.

The media doesn't understand this angle.

Perhaps no one should. I am trustworthy. You can trust me not to tell
anyone the specifics of these bugs. Not even my best friends. Not even
my wife. For three months - the minimum amount of time Microsoft has
taken to fix my bugs - nor for six months... the longest they have taken.

Yes, though diplomats and bank executives are always prone to my critical
bugs... I won't ever use my bugs on you.

I don't get paid too much, but luckily for you I am a solid American,
 a good Christian.

I am a professional. I have seen top military advisors blurt out secrets
in Vanity Fair -- but, me, I know all about keeping secrets. I think
these guys are amateurs.

I am not telling you where I work, what bugs I find, or anything of this
nature. I know this. Because, I am a professional. I have great experience
with secrets. I respect secrets.

I also realize reader's will understand my sarcasm here. Yes, everything
I have said is true. Indeed, only someone like me would be so astounded
that Microsoft so trusts me -- because they do not know me. And, what
about every other security researcher and every other security company?

I read about how guys in the security industry get various rights to
handle varying degrees of classified material. Yet, I know that the security
bugs I deal with - security bugs my co-workers deal with - these things
could be used to hack into any system anywhere. Heck, the government
itself should finance us, if only to ensure we could afford the kind
of physical and network security we should have here -- massive metal
doors, security cameras, on presence security guards, counter-surveillance
teams, etc, etc.

What if terrorists broke in and got our archive of zero day? What if
North Korea did this? What if Cuba did this? What if the Russian mafia
did this?

People that don't find critical security bugs in 100 million plus systems
don't think on this. People that do, do do this. Even those that are
less politically aware than myself.

Now, what if someone with more loose lips disclosed such a bug on IRC?
What if they told a hacker friend whom had an issue with who knows what
government or company and did some worm?

Schmidt was absolutely right (and it is our advice he listened to) --
 zero day viruses are a massive threat. We have been going on borrowed
time.

Understand, these renegade virus writers that have also been able to
find zero day are not the top of the line people. They are the first
of an emerging breed of attackers.

Finding serious security vulnerabilities in 100 million plus systems
may not be getting easier -- but more and more people are learning how
to do this. Combining that knowledge with the ability to code a nasty
worm or trojan may not be getting easier -- but sooner or later, you
will find rogue nations, corporations, and organized crime capable of
doing this.

We do not get paid very much. Not every security researcher has such
morals as I do, nor as my co-workers do. Talent and morals do not always
go hand in hand.

Applications which truly protect against zero day are extremely rare.
Systrace does this effectively -- but how many admins use this, how many
use it effectively? SecureEXE, how many use this? Entercept? Trivial
to get around. Firewalls like Zone Alarm which attempt to do proper application
gating that protects against unknown trojans based on the same kinds
of concepts as systrace uses? These are trivial to get around.

Zone Labs recently replied that these attacks are not trivial. They are
correct, only in the sense that they assume one person won't make the
trojan and another use it. It only requires one public release -- and
a bunch of script kiddies hex editing it so it bypasses signature based
AV for a problem to result.

Much of these problems are due to incompentence, poor funding, and security
companies that mislead the public. Poor funding is probably the biggest
problem. We security researchers get little respect. Look on monster.com
or dice.com for how many companies are hiring security researchers? Security
enabled QA people? It is dismal.

If you want to get a job -- get your CISSP and play dumb. If you want
to find companies hiring for code reviewers? Forget about it. Not happening.


This does not mean I support the wannabe "black hats" posting here, debating
on IRC, playing stupid poseur games. That whole scene is fake, a pose.
It is disgusting. These guys don't know a "black hat" from the tooth
fairy.

No, "black hats" hack for money. People should realize this. Law enforcement
realize that people are generally bad -- but law enforcement personell
of any caliber are far removed from computer security.

Indeed, there is no law enforcement branch for the Internet. You get
hacked, it has to be over multiple thousands of dollars of damage, then
the FBI might be interested. The FBI. That is like using a sledgehammer
to type on your keyboard. They are underfunded, under experienced, undermanned
for such tasks.

If you see a lot of busts -- that is high profile gimmickery. It is a
sham. It makes law makers blind to the realities. It is as unjust as
the fact that RICO laws weren't used against the Mafia for over a decade.
It is as unjust as the fact that Hoover claimed for decades "there is
no mafia".

And, let's not even contemplate the rest of the world.

Hopefully, this little speech was enlightening to some people. Some,
I am sure, will be arrogant and not believe it. Such people have the
reasoning faculties of a child. Not surprising, since it is extremely
rare that security researchers actually read books on subjects other
than on security. Look at slashdot comments. They are morons outside
of tech issues (indeed, most are morons even inside tech issues).

Anonymous Security Researcher
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj8DNeIACgkQN5cl9WiqHpwhsgCgpE86jM14n6aMsjTJzDS8kth90ScA
n0bMzSMfanEEqUMVi1yqBDEbKPs7
=azBg
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ