lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20021210051202.14677.qmail@email.com>
From: sockz at email.com (sockz loves you)
Subject: Security Industry Under Scrutiny: Part 3

----- Original Message -----
From: Silvio Cesare <silvio@....net.au>
Date: Fri, 6 Dec 2002 15:15:56 +1100
To: sockz loves you <sockz@...il.com>
Subject: Re: [Full-Disclosure] Security Industry Under Scrutiny: Part 3


> sockz.. you have completely lost the plot ;-|

i had a plot?
;(

> If anyone has learnt anything in security over the years, it's that
> 
> 	"security through obscurity"
> 
> DOES NOT WORK

plz explain why?  so far all the explanations i've heard have been self-
sealing arguments backed up only by simplified models and varying degrees
of 'faith' in the security industry.
 
> I'm curious how your analysis (and also the ascii flow graphs presented)
> reflect the history of computer security practices, and what was
> discovered in the past..

this analysis didn't.
 
> The graphs presented believe that the source of "vulnerability discovery"
> is from a purely trusted [and isolated] source.

yep.
 
> This view, is also the reason why security through obscurity fails to work -
> Because vulnerability discovery is not the simple mechanism described in
> the simplified frameworks you describe.

i see.

> The presentations provided visibly show the source to "script kiddy"
> usage goes through a disclosure process..  The "script kiddies" are therefore
> the only adverseries you display.

what others should i have included that were relative to the debate?  i assumed
that if i was describing the flow of information between whitehats and script
kiddies, then i would not need to list any other adversaries because they would
have been outside the scope of the email.  perhaps i was wrong?  then again you
could mean here that fake-whitehats with fake-advisories are also kinds of
adversaries?  i am not clear on this.

> This is not the reality of computer security, and if the past year has shown
> us, then "oh shit.. the 'blackhats' have vulns against all of this
> software" - yet WHAT DO BLACKHATS DISCLOSE?

i dont follow.

> The solution you present for secure computing, is indeed a purely political
> scheme, and not a technological scheme, for the goal is not the
> reduction of vulnerabilities, but _the reductions of
> REPORTED of "security violations"_.

that's correct and incorrect.
the goal is to change the way vulnerabilities are reported.  it isn't security
through obscurity really, because a responsible security architect would be
notifying the software vendor alone... and not the rest of the world.  what i
am calling for here is not an end to bug reports but a beginning of maturity
and responsibility in the industry.

> "Hey.. I just rooted this bank and am taking all their money!"
> "Time to make a post to full-disclosure!"
> 
> ^^ I find that laughable..

hehe, me too.
 
> The "blackhats" are indeed an "adversary" in the computer security framework -
> the script kiddy is also an adversary.. yet your framework believes that
> the only failure in computer security is because of disclosure - that is,
> the "bad guys" dont already know these vulnerabilities.
>
> How exactly does your framework of non-disclosure bring into play
> the fact that "AN ADVERSARY DOES NOT DISCLOSE".
 
okay point taken.  i guess i'm just so used to seeing blackhats as anything but
and 'adversary' that i forgot to consider them from the other side of the
argument.  i'll make the ammendments when i get home.
 
> Let's get this clear..
> 
> 	BLACKHATS ALREADY KNOW AND HAVE THIS INFORMATION!
> 	BLACKHATS DO NOT DISCLOSE!

i think that it is unreasonable to suggest that everything that has been churned
out on bugtraq in the last year was discovered by a blackhat.  surely, maybe, in
the sense that the whitehat is for a brief moment a blackhat before they post
the advisory (if you remove all traces of intent).  but its a completely
different motivation here.  whitehats find bugs to make themselves famous, make
money, score advisory brownie points, and those bugs can be *anything*.  i dunno
about you but the only bugs i've really sought after are the ones that will help
me achieve my individual goals.
 

in any case thanks for your reply.  i'll try and make things a bit clearer in
the future.

<3 sockz
-- 
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

One click access to the Top Search Engines
http://www.exactsearchbar.com/mailcom


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ