lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <871080DEC5874D41B4E3AFC5C400611ECFCE67@UTDEVS02.campus.ad.utdallas.edu>
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others)

-----Original Message-----
From: phc@...hmail.com [mailto:phc@...hmail.com] 
Sent: Friday, November 22, 2002 6:28 PM
To: full-disclosure@...ts.netsys.com
Subject: [Full-Disclosure] [PHC] Sermon #3 (w/ reply to Paul Schmehl &
others)

[PHC]
Paul,

Your network will never be secure.

[paul]

This is a given.

[PHC]
People seem to think Attack Windows -- a term coined by the same class
of people who brought you the Nop Sled (tm) -- exist between public
vulnerability disclosure and public patch release. This is untrue;
Attack Windows exist from public vulnerability disclosure right back
into the long forgotten past.
Example: if in 2010 a vulnerability is publicly disclosed in a widely
used program that has been used for 20 years, then every box on the
planet using that program has been at risk for 20 years, and not merely
the week or so between public announcement and public fix. In
retrospect, the security industry accomplished nothing in 20 years,
except stuffing their pockets with cash and generating a false sense of
security.

[paul]

Agreed, as to the first part, but your conclusion doesn't follow.  They
may have accomplished nothing WRT that one weakness.  That says nothing
about other weaknesses they may have exposed and which got fixed as a
result.

Do you *really* expect intelligent people to believe that the
"Trustworthy Computing" initiative that Microsoft has undertaken would
have *ever* happened without the steady stream of embarrassing
disclosures, culminating in the awful buffer overflow in UPnP, that led
up to that announcement?  Frankly, that stretches credulity to the
breaking point!

If the security industry wasn't constantly exposing Microsoft's warts,
there would be no "Trustworthy Computing" initiative, there would be no
security department at Microsoft, there would be no security bulletins,
there would be no "hotfixes".

You cannot honestly believe that, in the face of Microsoft's awful
security record, that silence would be the correct behavior!

[PHC]
Insecurity will be perpetual. As democow said, blackhats will always be
able to compromise you. Scriptkids will not be able to compromise you if
you always manage to win the scriptkid-admin race that occurs when a new
bug is disclosed on a security mailing list. However, not all admins
will be so lucky. The security industry in this manner has increased not
only the number of attackers exponentially, but the threat to the
Internet at large. This is a cycle that can stop, but it won't happen
while the security industry can make money on it. They need figures and
statistics to market their flimsy products. They need visible threats to
justify their existence. They need widespread defacements and system
compromises.

[paul]

And the alternative is?

Assume for a moment that everything you've said so far is correct.
Assume further that there is no security industry to "blow the whistle".
Then this is the situation: all systems are insecure by default and will
always be insecure, and the holes are only known by a select few, the
so-called blackhats.  What options do the network admins have then?

I submit they have none.  Each time a system is compromised, the admin
then either has to learn enough programming to be able to *correctly*
understand the source of the problem (assuming he has access to the
source) *or* demand that the vendor fix the problem that allowed the
breakin.  But the admin has no leverage with the vendor.  He's already
paid for the software.  He has no contract with the vendor to protect
him.  Even if he can motivate the vendor to fix the problem, it's
probably going to be in a new release, not in the existing one (because
then the vendor would have to announce the problem to all his
customers.)  Furthermore, that admin has an ethical obligation to let
other users know about the weakness.  Otherwise he is culpable in their
future breakins.

[PHC]

In the SecurityFocus article, _Full disclosure is a necessary evil_,
Elias Levy agrees that full disclosure brings more short-term insecurity
than non-disclosure does. So it's not only the 'blackhats' who see this.
However, Levy qualifies this short-term insecurity as a "necessary evil"
to effect long-term security. Just HOW long-term is a matter of
conjecture, but based on the security industry's own tenet that "no
software, system, or network can be totally secure," we don't ever see
the final destination being reached by the security industry. Instead,
we see them as the purveyors of lies and broken promises who will never
be able to deliver what they're paid for. This holds true even for the
5% of 'programmer-phrack-magazine-esque' security professionals Who Have
A Clue. The crazy thing is that it's their inability to deliver the
goods that keeps them in business. While they rake in large amounts of
cash and fail miserably at their self-appointed task, their failures
succeed in convincing the gullible that they're still needed.

[paul]

You can't have your cake and eat it too.  If, as you say, there will
never be anything like total security in software, then you can't also
accuse the security industry of having failed in their mission, simply
because the forgone conclusion has been reached.  Under the conditions
which you describe, success can never be reached.

However, if the security industry has helped close one single hole, then
they have succeeded more than if they had done nothing, which is what
you're advocating.  Furthermore, you cannot accuse the security industry
of failing because the software vendors have failed to program securely.
The security industry's job is to reveal the problem and suggest
solutions.  They cannot force the vendor's to fix the problem.

[PHC]

There was a Vuln-Dev thread on Alan Turing's "Halting Problem" (we
remember this thread because it was probably the only educated thread
ever to appear on Vuln-Dev, not to mention a brilliant battle of wits
between Lcamtuf-the-Brain and Mixter-the-Fucking-Narc) that brought the
identification of security holes in software under the light of
elementary discrete mathematics. This added to the tenet mentioned
above. We mention this to reiterate what we said in Sermon #2 about all
disciplines of study being applicable in some way, however slight, to
the problem we seek to change. See, even a math nerd can help us.

[paul]

Try to understand the problem from the viewpoint of a network admin.
Most could care less about the philsophical debates that surround these
issues.  Most don't want to learn to program, more than what is
necessary to automate routine tasks.  They don't want to master multiple
disciplines *in addition to* their chosen profesion, and they don't want
to have to deal with breakins on top of all the other problems that come
with trying to network heterogeneous systems and protocols so that users
can seamlessly access what they want and need to access.  What you are
advocating is that they simply "deal with it", rather than offering any
solutions to the problem.

[PHC]

In summary, the security industry is reaping large sums of money for
doing absolutely nothing for Internet security.

[paul]

You can't make this leap of logic from the evidence that you've
presented.  You claim that it's impossible to completely secure software
systems.  Then you accuse the security industry of having failed because
they haven't completely secured those systems.  And if the security
industry has caused the "Trustworth Computing" intiative to come to
pass, then you certainly can't accuse them of "doing absolutely
nothing".

[snipped the irrelevant political diatribe]

[PHC]

We can churn out sermon after sermon, but it will do little good if
nobody gives a damn. We're not fools to believe all this talk will do
anything great. If you see what we are fighting for, then PLEASE
contribute Stuff to the cause, where Stuff can be textfiles, graphics,
old AntiSec posts, ideas, constructive criticism, whatever.

[paul]

What I see you preaching for is for my network to remain vulnerable and
compromised forever.  That's not a goal I would work for.  So why should
I assist you in yours?

[PHC]

And if you call anything that moves a "scriptkid" or a "lamer," for
fuck's sake, do not bother replying to this.

[paul]

No, I call people who break in to other people's computers jerks.  I
really could care less what motivates them to do it.

Paul Schmehl (pauls@...allas.edu)
TCS Department Coordinator
University of Texas at Dallas
http://www.utdallas.edu/~pauls/ 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ