[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <024e01caaa2a$2b216e40$81644ac0$@wright@Information-Defense.com>
Date: Wed, 10 Feb 2010 19:22:15 +1100
From: "Craig S. Wright" <craig.wright@...ormation-Defense.com>
To: "'Thor \(Hammer of God\)'" <Thor@...merofgod.com>
Cc: pen-test@...urityfocus.com, advisory-board-open@...ts.sans.org,
'Jeff Frisk' <jfrisk@...c.org>,
'full-disclosure' <full-disclosure@...ts.grok.org.uk>,
security-basics@...urityfocus.com, stephen@...s.edu,
'Ben Wright' <ben.wright@...oo.com>
Subject: Re: SMS Banking
Hi Again Thor/Tim and now others,
I have added a few people to this email. As a summary to those joining,
"Thor" (really Tim) has the notion that you cannot quantitatively measure
information system risk and thinks Bayesian statistics, computational chaos
and heteroscedastics (my fields) cannot measure risk.
>>From the "discussion" that has ensued, Tim and I have ended in a gamble
where I shall be using the my skills in math and those of both practical
experience and importantly all I have learnt from SANS over the many years
against anything he wishes to being to the table.
There is some information included below, but as a summary, myself and
another party will measure the risk of software and systems. This will be
100 software products and 50 systems to be independently deployed.
Code vulnerabilities is but a single risk measure (see below for where this
fits). My Question to Tim is are you implying that you cannot do this?
Knowing the likelihood of code vulnerabilities and the rate comes to
patching and hence implementation issues. I am stating that I can model
this. I will put my reputation etc on the line (as well as a large quantity
of cash) on the assertion that I can model the risk of software within a set
confidence bound given the a prior information on the product, user base and
such other information against a qualitative determination.
I have stated an independent third party will configure systems. Neither Tim
nor I will set the systems up. This will be done correctly without bias. I
have added Stephen to this discussion as I will be proposing an exercise for
SANS Students. I will elaborate this later. The basic gist is that SANS
conference attendees and students generally could be involved. The idea is
that neither party to the test will have an insight or knowledge that
exceeds the others from any unfair means.
I will up the bet to the 100k amount if this is Tim's desire. We will set
this as an escrow. That is, an independent party (merchant bank) will hold
the money. We each pay in advance. The money will be held earning interest
until this exercise is complete. Ben is included in this email as he is one
of the most IT savvy and security knowledgably attorneys around. He is NOT
my attorney, but he knows more than enough to (for valid consideration that
I will fund) set the escrow conditions.
Tim states below, "they will be 100% vulnerable to immediate exploitation"
My question to him is are you stating that the systems will be 100%
vulnerable? Is this your response or would you like to actually test the
system?
I will give Tim an out or at least an advantage if he wishes. I will still
do all I have stated, but I will also give him an additional option. This
is, I will configure a server running a BI (Business Intelligence)
application and Database accessed over the web with an SSH server for admin
access and management. If either I fail to predict risk within a 95%
confidence interval OR you breach this system in the time period (a whole 6
months), I lose the bet.
As stated, the money will be escrowed. Once started, we each put our money
where our mouth is so to speak. If you EITHER predict correctly OR
compromise a single system - you (Thor/Tim) win. Otherwise - Tim has to
admit error.
This has escalated to a US$ 100,000 bet. The contract will be formalised,
but this is an offer (in fact, the other offers are also accepted at lower
values, but we each have too much testosterone).
There are two components;
1 A selection of software products are tested using both processes,
that is I use a model for the risk of these products, and Thor can make up
whatever guesses he wishes. We model (or Thor guesses, pulls from a
hat...) the vulnerabilities over a time period. The number of bugs in
software as well as the risk are to be presented as a monthly estimate.
2 We model a few systems (say 50). We can use Honeypots (real systems
set to log all activity without interference) run by an independent party to
each of us. I use probabilistic models to calculate the risk. Thor does
whatever he wants to test these, audit them etc and predict risk. These
systems are to be logged and all the data recorded. The full rules and
restrictions, setup processes etc will be incorporated into the contract.
I put my knowledge from Bayesian Statistics, Computational Chaos, financial
modelling and heteroscedastics that is coupled with around 30 SANS
courses/certifications and all the other bits against Tim's arsenal.
Part 1
Tim has to select 100 commonly deployed software products. I will not
intervene, but I will have these challenged if they are NOT commonly
deployed. Hence CC'ing the SANS Advisory Board. I propose these individuals
as the people who can veto a choice if the software is obscure.
I shall be listing these in the contract that we will each sign as a deed.
Regards,
...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd
From: Thor (Hammer of God) [mailto:Thor@...merofgod.com]
Sent: Wednesday, 10 February 2010 5:42 PM
To: craig.wright@...ormation-Defense.com; Valdis.Kletnieks@...edu
Cc: pen-test@...urityfocus.com; 'full-disclosure';
security-basics@...urityfocus.com
Subject: RE: [Full-disclosure] SMS Banking
See my follow up email first.
Are you asserting that your entire basis for what risk is comprised of is
the number of new vulnerabilities found in code? Risk=code
vulnerabilities? Please tell me you know more about this industry than
that. Actually, DONT tell me that. I dont want to start to feel more
sorry for you than I already do.
We dont need six months. Pick whatever 100 you want. Come up with your
risk factor. Ill deploy them, and they will be 100% vulnerable to
immediate exploitation and Ill laugh at your risk figures all the way
to the bank. This is getting better by the minute.
Care to up your bet? Ill wager 4:1 for you. Lets make it my $100k to
your $25k, even though youve already set the terms and the amount in
writing previously. Im happy to amend this.
t
From: Craig S. Wright [mailto:craig.wright@...ormation-Defense.com]
Sent: Tuesday, February 09, 2010 10:28 PM
To: Thor (Hammer of God); Valdis.Kletnieks@...edu
Cc: pen-test@...urityfocus.com; 'full-disclosure';
security-basics@...urityfocus.com
Subject: RE: [Full-disclosure] SMS Banking
I will happily do this.
That it can be hacked, or will be hacked
Anything CAN be hacked.
Software first. Choose 100 common software products. I will define scale
here first. This will be number of vulnerabilities (new) that are found in
each piece of software each month. This will also be related to the common
metrics for the level of the vulnerability. This will be for 6 months.
Choose the number of vulnerabilities and the impact of each of these for 6
months. It has to be commonly run software with a user base that I cannot
count on one hand.
My predictions will be for these products and will have a confidence bound
set at 95% (or alpha=5%).
I further assume that the loser will be financially responsible for the
audits done my way.
Are you saying that you will pay MY fees when you lose?
wont look at the software code
When you can get MS to give me their code this may be an issue, but it is
not as yet.
Regards,
...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd
From: Thor (Hammer of God) [mailto:Thor@...merofgod.com]
Sent: Wednesday, 10 February 2010 3:59 PM
To: craig.wright@...ormation-Defense.com; Valdis.Kletnieks@...edu
Cc: pen-test@...urityfocus.com; 'full-disclosure';
security-basics@...urityfocus.com
Subject: RE: [Full-disclosure] SMS Banking
Now youre talking. But first lets work up an actual contract. Neither of
your components define anything. When you say that you are going to predict
risk with your magic formula, do you mean if the software has
vulnerabilities? That it can be hacked, or will be hacked?
Be sure to define this properly and definitively if you end up saying that
a system has a 1% change of being hacked, and I (or my auditors) hack it,
would you claim you were right? I question if you can even define the
parameters of this bet, much less apply your formulas, but well see.
I also want to know what scale you plan to use. So far, even though Ive
asked, youve not provided what the answer to your formula is, or how it
will be applied. Im assuming, unless you are going to change your tune
which I wouldnt doubt, that you wont look at the software code or threat
models, but rather apply your formulas. I further assume that the loser
will be financially responsible for the audits done my way.
Im more than happy to take your money, and I look forward to doing so.
Since one of your masters degrees is in law, Im assuming you can clearly
define the terms of the contract. I will, of course, insist upon a
contract, and I hope you wont mind that I have my own attorney look it
over. Im not immediately trusting of the competence of one with a
doctorate degree and multiple masters degrees who cant spell technology
or experience correctly on his on-line CV.
You are officially on. And Im looking forward to it.
t
From: Craig S. Wright [mailto:craig.wright@...ormation-Defense.com]
Sent: Tuesday, February 09, 2010 7:41 PM
To: Valdis.Kletnieks@...edu; Thor (Hammer of God)
Cc: pen-test@...urityfocus.com; 'full-disclosure';
security-basics@...urityfocus.com
Subject: RE: [Full-disclosure] SMS Banking
I have a simple answer to this. Forget the debate, rhetoric is not a
scientific method of determining truth.
Thor wants a challenge, lets have one a real one and not one based on
verbalisations, abuse and unfounded assertions.
I suggest two components;
1 A selection of software products are tested using both processes,
that is I use a model for the risk of these products, and Thor can make up
whatever guesses he wishes. We model (or Thor guesses, pulls from a
hat...) the vulnerabilities over a time period. The number of bugs in
software as well as the risk are to be presented as a monthly estimate.
2 We model a few systems (say 50). We can use Honeypots (real systems
set to log all activity without interference) run by an independent party to
each of us. I use probabilistic models to calculate the risk. Thor does
whatever he wants.
Each of the predictions is published by all parties. The one who is most
accurate wins. Fairly simple?
I will even give a handicap to Thor, I will offer to predict within a 95%
confidence interval and that for me to win, at least 90 of the 100 software
products and 45 of the 50 systems have to lie within my predicted range that
I calculate and release. Thor has to simply guess better than I do no
matter how far out he is.
I will put up $10,000 Au for my side. Lets see if Thor has something real
to offer.
Regards,
...
Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
Information Defense Pty Ltd
_____________________________________________
From: Valdis.Kletnieks@...edu [mailto:Valdis.Kletnieks@...edu]
Sent: Wednesday, 10 February 2010 7:03 AM
To: Thor (Hammer of God)
Cc: pen-test@...urityfocus.com; full-disclosure;
craig.wright@...ormation-Defense.com
Subject: Re: [Full-disclosure] SMS Banking
* PGP Signed by an unknown key
On Tue, 09 Feb 2010 17:39:39 GMT, "Thor (Hammer of God)" said:
> how about accepting a challenge to an open debate on the subject at
Defcon?
"Alright folks just make yourself at home, Have a snow cone and enjoy the
show"
-- Webb Wilder
* Unknown Key
* 0xB4D3D7B0
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists