| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: silvio at big.net.au (Silvio Cesare) Subject: Security Industry Under Scrutiny: Part 3 sockz.. you have completely lost the plot ;-| On Thu, Dec 05, 2002 at 11:18:58PM -0500, sockz loves you wrote: > ----- Original Message ----- > From: "Steve W. Manzuik" <steve@...renchtech.com> > Date: Fri, 6 Dec 2002 10:47:47 +0900 > To: <full-disclosure@...ts.netsys.com> > Subject: RE: [Full-Disclosure] Security Industry Under Scrutiny: Part 3 > > > > This was a really good post, I think you touched on some good points that I > > would like to comment on. > > woot, thankz steve. > > > > In light of who will access this vuln information we can now > > > pinpoint a few areas in need of critcal improvement. First > > > of all is the proof of concept code being released into the > > > wild via the whitehats website. Removing tools from the net > > > means that you remove the threat of socially inapt morons Everything that has been discussed is only say 15 years behind the security history of mainstream computing.. If anyone has learnt anything in security over the years, it's that "security through obscurity" DOES NOT WORK I'm curious how your analysis (and also the ascii flow graphs presented) reflect the history of computer security practices, and what was discovered in the past.. The graphs presented believe that the source of "vulnerability discovery" is from a purely trusted [and isolated] source. This view, is also the reason why security through obscurity fails to work - Because vulnerability discovery is not the simple mechanism described in the simplified frameworks you describe. The presentations provided visibly show the source to "script kiddy" usage goes through a disclosure process.. The "script kiddies" are therefore the only adverseries you display. This is not the reality of computer security, and if the past year has shown us, then "oh shit.. the 'blackhats' have vulns against all of this software" - yet WHAT DO BLACKHATS DISCLOSE? The solution you present for secure computing, is indeed a purely political scheme, and not a technological scheme, for the goal is not the reduction of vulnerabilities, but _the reductions of REPORTED of "security violations"_. This reduction can be achieved through many means. A typical example is the NON DISCLOSURE OF SECURITY VIOLATIONS themselves. In this framework, then indeed the total security on the internet is increased, because the reported number of security problems, is descreased. Does that make the number of real violations less than previous? Does that make the true technological security any better? Does that mean people are not actively exploiting software and breaking into machines? > > The problem with this is that there will always be someone who feels it is > > their right (free speech and all that jazz) to post what they want on their > > website and there will always be those who write/post exploit coide. How do > > you propose that this is prevented? The purpose of this is for what? Your framework is a simplified view of problems, that ignore the truth of computer security. That disclosure does not occur for the "true blackhats" - that is, the computers which you imply you are trying to protect, will never be reported as "vulnerable" by the people who wish to break into them. Blackhats as is stated by so many people, DO NOT DISCLOSE - why would they? "Hey.. I just rooted this bank and am taking all their money!" "Time to make a post to full-disclosure!" ^^ I find that laughable.. The "blackhats" are indeed an "adversary" in the computer security framework - the script kiddy is also an adversary.. yet your framework believes that the only failure in computer security is because of disclosure - that is, the "bad guys" dont already know these vulnerabilities. How exactly does your framework of non-disclosure bring into play the fact that "AN ADVERSARY DOES NOT DISCLOSE". ^^ Am I lost here in your analysis? or is the framework of non disclosure heavily simplified and polarized to acheive an agenda? > well mechanisms like this are already in place when it comes to things like > national security. freedom of information is limited where that information > could pose a threat to international relations, military strategy, secret > operations and investigations, etc. i think that if the internet is grown up > enough to have laws that make it more capitalist-friendly it should be old > enough to be subjected to State-based legislation that prevents the trading of > information that could pose a threat to internet security. [ snip ] > > What about the inept software vendors who *require* proof of concept code > > before they even consider looking at a problem? What about organizations like > > CERT who has had proof of concept code mysteriously leak? THis implies that "blackhats" don't already have this (highly unlikely). Yet, you insist that again the magic bullet of computer security, is to block full disclosure, and to keep such information in a "trusted and isolated environment" (though you acknowledge that again this is not fully trusted). Let's get this clear.. BLACKHATS ALREADY KNOW AND HAVE THIS INFORMATION! BLACKHATS DO NOT DISCLOSE! Your statements are the opposite --> SECURITY IS COMPROMISED THROUGH TRUSTED ROOTS OF DISCLOSURE. BAD PEOPLE FULLY DISCLOSE. so in summary.. STEP INTO REALITY FOR A MINUTE. Everything that gets posted by the so called "blackhats" says this --> BLACKHATS DO NOT DISCLOSE ^^ so... the idea then that a "secure internet" is by non disclosure! WHO THE F*CK ARE "YOUR" ADVERSARIES? -- Silvio
Powered by blists - more mailing lists