lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu May 11 18:22:35 2006
From: n3td3v at gmail.com (n3td3v)
Subject: MS06-019 - How long before this develops into a
	self propagating email worm

On 5/10/06, Juha-Matti Laurio <juha-matti.laurio@...ti.fi> wrote:
> threat meters:

Seriously, threat meters are a waste of time and should be scraped by all.

UK has said it will never implement a terrorism threat meter, as the
Bush administration already does to create a sense of public fear when
the political climate requires the government to have public support
on issues.

It is known that U.S government has rasied the threat meter when their
poll rating is low, to get the public on-side that "we know more than
you do, just trust us." propaganda.

Would a threat meter have stopped 9/11 from happening?

And what do you do if the meter goes to "high alert"? Are folks
supposed to stop their everyday lives and start looking at everyone
who looks of eastern origin in a paranoia frenzy?

On 7/7 the London bombings, the government and security services were
caught by suprise, they had no idea about "the threat" yet innocent
folks died and the city of London went into lock down over fears of
further attacks, so much so, an innocent member of the public was
shot, because the police thought he was a potential suicide bomber. He
wasn't, the police had commited a murder, because of fear, the fear
and paranoia the terrorists wanted the government and the public to
have, they won in London, and the terrorists won in American too. Look
at the way America has reacted, in the same way the UK government and
intelligence services have. In the way the terrorists planned it to
be. To create a fear, a paranoia, a terror in the minds of everyone.

Threat meters, what do they do? They play the role of the terrorist,
bring fear, let the public know the terrorists are around. Even though
only one building in one city or one train in one city would be
target, the whole entire nation is put on an artifical "high state of
alert". The government of U.S don't even say "high state of alert for
X city", they just have some threat meter covering the entire U.S

The same goes for the internet. We're always being told that terrorism
will one day come to cyber terrorism and hit governments and
businesses hard. Yet no specific targets are ever mentioned. Its a
threat meter for all, everyone, the so-called cyber security agencies
can't even give estimates or likely ness of attack, they just rasie a
threat meter to create a hype and a need to buy the products X
security company has on offer to "protect consumers and corporations
from imminent attack".

Lets call it "paranoia meter" because its heresay, there is no
particuler threat. Just because a vulnerability is wild and not
patched, does not pose a threat. In terrorism a threat is specific
information that an attack is being planned. Although, the internet
threat meters are lamer than the main land threat meter (and even the
mainland threat meter is lame), because its completely based on
heresay, theres an unptached vulnerability, "this could happen, but we
don't have any intelligence whatsoever that something is being
programmed, but we thought we'd raise the internet threat level, you
know because theres nothing else happening".

Basically, the cyber security companies are creating a hype to be
suggestive to malicious users, and of course the malicious users will
often bow to such a threat level and release an exploit worm to the
wild.

Although, thats how it used to be. The "bad guys" have realised now
how much money these cyber agencies are making out of exploit virii,
that they've decided not to launch an attack, based on their threat
meters. The only time a real threat will come is when cyber agencies
are off-watch. Why would an attack be launched if governments and
businesses are expecting something to happen? The element of suprise
is as important as the terrorism which gives them the name terrorist.

I conclude to say, the cyber security companies, were once good at
their predictve attack guesstimations, but no longer. In today's
climate (right now) folks are more than aware of whats going on
around. No longer will the would-be exploit virii offer play lap
puddle to cyber security agencies, mcafee, symantec, trendmicro,
us-cert and the others.

Attacks will come at the least expected point. Attacks won't come
based on code you guys are "aware" of. Attacks will come without
warning. Attacks will coem when you least expect it. Attacks will
never be predicted, will never have an early warning for, will always
be a suprise from now on.

Welcome to the future. Times are changing. You can create a paranoia
amougst the community, but the new kids on the block aren't playing a
destructive game of tig between malicious users and security vendors.
The ball is in the malicious users court. Each time you raise your
threat level and nothing happens is eating away at the credibility of
security vendors, although the bad guys always will have a cool nack
of creeping up on everyone when they least expect it.

Rasie your threat meters, you're spoiling your own business by doing
so, malicious users the more they hold off attacks, the more security
vendors will be damaging their own credibility.

It makes sense to allow security vendors to keep raising their threat
levels everytime.

If the threat level is raised before something happens, then the job
of the terrorist is done, there is no need for attack. If security
vendors kept their threat meters and hype at green for say 6 months,
even during times of zero-day, then that would push hackers to launch
attacks, but as soon as you raise your meters for zero-day and no
actual intelligence that a virii attack is being actively programmed
by named individual(s), then theres no likihood that an attack will
appear.

Security vendors, scrap your threat meters, they only prevent you making money.

Your "threat meters" are playing into the hands of the terrorists, the
hackers, the script kids, the vxers.

Although, has it ever been the case "thanks to your threat meter I
wasn't hacked", or with mainland terrorism "thanks to the terror
meter, i spotted a terrorist and called the cops and managed to divert
a 9/11 style attack"

Take carez,

n3td3v

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ