[<prev] [next>] [day] [month] [year] [list]
Message-ID: <871080DEC5874D41B4E3AFC5C400611ECFCE69@UTDEVS02.campus.ad.utdallas.edu>
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others)
-----Original Message-----
From: phc@...hmail.com [mailto:phc@...hmail.com]
Sent: Friday, November 22, 2002 9:56 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl
& others)
[PHC]
-
------------------------------------------------------------------------
-------
%Point 1% You agree this is a given.
-
------------------------------------------------------------------------
-------
[paul]
Of course, but to clarify, it *is* possible to raise the bar high enough
that only the truly determined can find a way in. It's analagous to the
physical world. You can put up all the defenses you want, but if
someone is willing to take the risks, they can get past those defenses
and into the building.
[paul - previous]
Do you *really* expect intelligent people to believe that the
"Trustworthy Computing" initiative that Microsoft has undertaken would
have *ever* happened without the steady stream of embarrassing
disclosures, culminating in the awful buffer overflow in UPnP, that led
up to that announcement? Frankly, that stretches credulity to the
breaking point!
[PHC]
-
------------------------------------------------------------------------
--------
Granted, the security community may have increased vendor awareness, but
awareness alone does not lead to security. Even people who tug to
security 24/7, like Theo de Raadt, have failed miserably.
------------------------------------------------------------------------
----------
[paul]
You have now conceded that the security industry has value.
The problem is that you paint everything in black and white. No one
would dispute that there are people *in any industry* who are in it
simply for self-aggrandisement. That's human nature. But you attack
the *entire* industry for that, when in fact there are some really good
and dedicated people in security. Marcus Ranum is one, and you clearly
admire him. So why publicly condemn the entire industry when you don't
believe that yourself? Doesn't that make you just as hypocritical as
the people you accuse of hypocrisy?
Why not attack what you believe is wrong instead? You lose credibility
when you make blanket condemnations.
[PHC - previous]
It's wrong to expect Microsoft to develop perfectly secure software,
just like it's wrong to expect anyone else to be able to. Yet this
doesn't stop the security industry banging on about it, contradicting
their "there is no such thing as perfectly secure software."
[paul]
Actually, "banging on it" simply proves the maxim. Not only do they
*say* there is no such thing as perfectly secure software, but they go
ahead and prove it. For this they should be admired, not condemned, for
they have not just postulated empty rhetoric. They have proven their
point.
[PHC]
I'm sure you realize the argument is not about "what brings security,"
as absolutes are not possible, but "what brings a better level of
security."
[paul]
Of course.
[PHC]
Based on the article mentioned in Sermon #3 and the articles of Marcus
Ranum (both written by prominent 'whitehats', hence no ulterior
'blackhat motives'), non-disclosure leads to a better level of security
in the short-term. Therefore, it remains only to be contested whether
full disclosure leads to better security in the long-term. Since
non-disclosure has a foundation in the short-term as being a workable
solution, whilst full disclosure in the short-term is detrimental (a
"necessary evil"), we feel that the burden of proof is on the security
industry to tell us why full disclosure in the long-term will be any
different to full disclosure in the short-term. We don't believe it will
be; we believe this "necessary evil" in the short-term will only
intensify as time goes by. We base this belief on the pattern that has
evolved over the last decade during the Reign of Full Disclosure.
Logical projection into the future tells us it will continue. We may be
wrong, and we invite correction.
-
------------------------------------------------------------------------
--------
[paul]
OK, define "non disclosure". Exactly what is it that you are
advocating? Can you provide a pointer to Marcus' article?
[PHC]
-
------------------------------------------------------------------------
--------
NON-DISCLOSURE
==============
short-term
- ----------
attackers: blackhats/professionals
long-term
- ---------
attackers: blackhats/professionals
FULL DISCLOSURE
===============
short-term
- ----------
attackers: blackhats/professionals
attackers: inordinate number of scriptkids
long-term
- ---------
attackers: blackhats/professionals (based on %Point 1%)
*** Is this stage (full disclosure, long-term) even reached? And if so,
what
*** did it achieve that non-disclosure didn't, other than injecting
scriptkids
*** into the digital ecosystem, causing a greater number of admins
headaches,
*** and allowing the security industry to stuff their pockets with cash?
-
------------------------------------------------------------------------
--------
[paul]
Please define "non-disclosure". Are you saying that security
professionals shouldn't try to find holes? Or are you saying they
should notify the vendor, but never publicize the vulnerability?
Sooner or later vulnerabilities will become public knowledge. Either a
"blackhat" will talk or a professional whose equipment has been
compromised will figure out why and notify the vendor. It's impossible
to keep a secret when more than one person is involved, and *by
definition* more than one person is involved when someone is hacking a
network.
You could argue about the *timing* of disclosures, but in practical
application, there is no such thing as non-disclosure. At the very
least admins are going to share their horror stories in an effort to
figure out how to stop the attacks in the future.
[PHC]
-
------------------------------------------------------------------------
--------
Blackhats exist in both schemes. There's nothing we can do to stop them.
It's just a question of which scheme brings subsidiary pains-in-the-ass
and which doesn't.
-
------------------------------------------------------------------------
--------
[paul]
Actually, I think it's a case of chose your poison. As an admin, which
do you prefer? The temporary pain of script kiddie attacks? Or the
long term pain of blackhat attacks that you have no idea how to stop and
no vendor patches to help you.
[PHC]
-
------------------------------------------------------------------------
--------
Success can never be reached, hence the security industry is bound to be
unsuccessful in the long-term. Therefore, the other alternative may be
more palatable.
-
------------------------------------------------------------------------
--------
[paul]
Again, you're trying to paint the world in black and white terms. It
just doesn't work that way. You must be fairly young, because you're
still very idealistic.
[PHC]
-
------------------------------------------------------------------------
--------
They have closed one single hole, which did what? Publicly announced the
hole to the scriptkid population, allowing them to attack the greater
majority of admins who aren't as diligant as you are, all in the name of
a future Utopia that we have no reason to believe will even occur.
Meanwhile, the blackhats carry on unhindered, due to their alleged
resourcefulness, creativity, and persistance. So you've won the
scriptkid-admin race yet again, but other admins might not be so lucky
-- the greater number of admins, in fact.
-
------------------------------------------------------------------------
--------
[paul]
You yourself have already admitted that the security industry doesn't
believe in the "utopia" that you deride. They publicly state that it's
not possible to be 100% secure. So who is really being more
unrealistic? You criticize them for admitting you can't have 100%
security and then trying to *improve* security. Yet you advocate no
improvement in security at all. Just surrender to the blackhats who
will own you when they want to. This is a very self-centered approach
to a problem that affects everyone in the world.
[paul - previous]
Try to understand the problem from the viewpoint of a network admin.
Most could care less about the philsophical debates that surround these
issues. Most don't want to learn to program, more than what is
necessary to automate routine tasks. They don't want to master multiple
disciplines *in addition to* their chosen profesion, and they don't want
[PHC]
-
------------------------------------------------------------------------
--------
We are advocating the removal of their need to deal with scriptkids.
This should be far less taxing on their time and energy.
-
------------------------------------------------------------------------
--------
Perhaps, but the long term effect might be even more deleterious.
[PHC]
-
------------------------------------------------------------------------
--------
We claim that it's impossible to completely secure software, by the
admission of security professionals themselves, THEREFORE we accuse them
of being money-mongering criminals (?) who know deep down that they're
chasing the wind, securing nothing other than their employment status.
-
------------------------------------------------------------------------
--------
[paul]
You demand the impossible. You say, because the goal is unattainable we
should not even try. This is a defeatist attitude at best. Regardless
of how unattainable the goal may be, the effort is worthwhile because
the end result is better than the present situation.
[paul - previous]
What I see you preaching for is for my network to remain vulnerable and
compromised forever. That's not a goal I would work for. So why should
I assist you in yours?
[PHC]
-
------------------------------------------------------------------------
--------
No, you agree by %Point 1% that it will always be insecure. So why not
cut down on the number of people who can cause you grief? Full
disclosure certainly doesn't do it, not with its "necessary evil."
-
------------------------------------------------------------------------
--------
[paul]
But you're not only advocating that we cut down on the number of
attackers, you're advocating that we surrender to the skilled ones. Lay
down and give up. If that were my attitude, I would not be worthy of
the job I've been hired to do.
Paul Schmehl (pauls@...allas.edu)
TCS Department Coordinator
University of Texas at Dallas
http://www.utdallas.edu/~pauls/
Powered by blists - more mailing lists