lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 26 Jan 2014 16:39:53 -0600
From: Brandon Perry <bperry.volatile@...il.com>
To: David Kennedy <davek@...bycon.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Making waves on Twitter!

So, here are the problems I have with both sides of this debate right now.
I wouldn't normally play along with politics like this, but it's a nice
Sunday afternoon, and I am feeling saucy.

I post this is an open forum because I believe this debate is useful in an
open forum and I don't believe that Dave should be going up against
polidiots in Congress alone.

Let's think about what is happening. Our claim is that healthcare.gov is is
insecure. We are the ones making that claim, and so the burden of proof is
on us. They have effectively proven that they had some sort of pen tests
done (who knows the scope, or how much risk was simply "accepted").
However, the only way to prove that the website is truly insecure is to
break the law. They know this (and let's not forget there is extreme bias
here). You need to look at this from the point of view of the people you
are trying to convince.

I hate this term "passive reconnoissance" because the people you are trying
to convince have *no* idea what this means. You are either using the
website in the way it was intended or you are not (their POV, not mine).
That paints a black and white picture that could fall under the CFAA. In
fact, passive recon sounds like something the NSA does to collect metadata.
Just saying.

Krush obviously has no idea how software development works. Yes, let's
build honeypots into our extremely time-crunched multi-million dollar web
application instead of actually building security measures in. That makes
perfect sense. However, he is playing the political game that Dave is not.
He knows exactly who is audience is, and plays straight into their hand. He
is telling them anything vaguely technical that backs up the story that
everything is secure. And you can't prove that what he is saying isn't true.

The fact that no "real" data is stored permanently (a point that both the
Congress people and Krush make repeatedly) is no point at all. TJX and
Target both had all their data stolen in transit (memory scanning malware).
Nieman Marcus and Michaels are now likely in that boat as well. This is the
perfect time to refute their point since it is fresh on everyone's mind.
Any data existing on those servers at any given point in time should be
considered at risk.

There needs to be a solid story on the 70,000 number. Is there source code
available for these scripts? Dave is going to get clobbered on this if he
can't show exactly what this means. Anyone that is technical probably
understands what is happening, but to anyone who doesn't know what an HTTP
request is, the explanations are very soft and confusing (most media
outlets?). This doesn't work in favor of the arguments because it makes it
seem like something is being hidden.

In the end, this is a political problem. Not a technical problem. You can
throw out hard numbers (hell, they might even be correct), and they can put
words in your mouth and twist what you say to discredit you and you lose.
Politicking is all about 10 second sound bites. That is their game right
now. Not to prove Dave wrong, but to discredit him.

Let's recap: we can't prove the website is insecure without breaking the
law, and our politichildren are not concerned about proving it is secure.
They probably don't even know what "secure" means when it comes to
technical systems like healthcare.gov. I believe Dave is approaching this
as a technical problem, when this is actually a political problem.

For the hell of it, I will drop a Reaganism[1]: Trust, but verify. We are
effectively being told "trust us, it is secure". We should be saying,
"Fine, we trust you. Let us verify". Our tax dollars built the system.
Maybe we should be allowed to view the source code.

I don't really expect any replies, but I love to eat crow. Feel free to
teach me something.

/me grabs some popcorn


[1]. I believe Reagan stole this from the Russians.


On Sun, Jan 26, 2014 at 3:03 PM, David Kennedy <davek@...bycon.com> wrote:

> As long as it involves the death star creation we may have a chance..
> On Jan 26, 2014 9:57 PM, "Brandon Perry" <bperry.volatile@...il.com>
> wrote:
>
>> I think the only way to solve this debate is a Celebrity Deathmatch-style
>> stand off.
>>
>> I will get the petition ready on https://wwws.whitehouse.gov/petitions.
>> Stay tuned.
>>
>>
>> On Fri, Jan 24, 2014 at 9:05 AM, David Kennedy <davek@...bycon.com>wrote:
>>
>>> Yoooo, whats up. This dude is crazy and probably Waylon Krush (can't
>>> confirm that). He's been tweeting each news organization in an attempt to
>>> throw a bunch of crap out there. Make your own determination, but I'm not
>>> the only one that's found it. First it was I absolutely had access to 70k
>>> and I'm the next Weev and should be arrested, now it's I've morphed myself
>>> into a media whore. Regardless, when its fixed, I'll post as I've always
>>> said. Even did a full writeup and updates explaining everything:
>>>
>>>
>>> https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/
>>>
>>> Dude keeps changing and morphing the story into a bunch of different
>>> things and changing the story. Happy to explain whenever and I'm not the
>>> only one who came to the same damn conclusion, 7 others did as well that
>>> were under NDA.
>>>
>>> Make your own determination, I've always done things on ethics and being
>>> up front, not hiding in the shadows and claiming insane things behind cloak
>>> and daggers.
>>>
>>> -Dave
>>>
>>>
>>> truthinallthings@...hmail.me via lists.grok.org.uk Jan 22 (2 days ago)
>>> to root, full-disclosure This site is making waves on twitter:
>>> http://70000in4mins.wordpress.com/ So what say you? Has our dear sweet
>>> Lord of the SET hacked healthcare.gov? <http://healthcare.gov/?> Or did
>>> he lie about what is really going on to get close to his hero's at Fox
>>> News? Has the spotlight turned him into another Gregory Evans? Desperate
>>> and willing to do anything for his next hit of the spotlight? Or did he
>>> find a way to have Google let him do 70,000 searches in four mins like he
>>> claims?
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>>
>> --
>> http://volatile-minds.blogspot.com -- blog
>> http://www.volatileminds.net -- website
>>
>


-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ