lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 17 Jan 2011 20:38:39 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "lists@...com.org" <lists@...com.org>
Cc: Zach C <fxchip@...il.com>,
	"Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Getting Off the Patch



>> Now, what I did there was insulting, confrontational, and a general shitty
>thing to do.
>
>Expected. Nothing that I wouldn't put past you.

It wasn't for your benefit; it was to hopefully prepare PMs for the ensuing anal jihad they'll get from management if they present your idea without any facts and the illustration of their naiveté in regard to what happens when security analysts write checks that operations and management has to cash.  

>> You cannot use the "if you don't like my driving then stay off the
>> sidewalk" defense
>
>Wow, you're still inferring a whole bunch of things there and even saying
>things I didn't say. You are so taking this all out of context.

You said if one doesn't your emails, not to read them, and if we don't like your idea, don't do it.  The problem with this selfish logic is that when my company applies standards, policies, and requirements to data management and risk mitigation, but a vendor to whom I send data decides not to patch based on your idea, then it affects me and my customers, and as such, I simply asked for what are now tiny little shreds of any evidence you have outside of a couple of servers and workstations.   I think the scope of your research has qualified the level of consideration it should receive. 

>> I chose that example specifically because it represented an unpatched
>environment
>
>Sorry you were dissatisfied with the examples. I'll try harder for you
>next time.

You really should.  Rather than providing a single suggestion on how your model would have protected 100% of this known-yet-unpatched vulnerability, you should have taken the opportunity to at least illustrate your assertion by way of example.   You have reduced the applicability of your model to instances where, as far as the most basic of network controls, "there are none."  There is no need for a "new model" here, and in fact, there is nothing new about it in the first place other than to think that when it has been illustrated that people can't deploy an ACL, that they will be successful in not patching. 

>> Your stating that "you think that op-controls can't protect where patches
>
>Of course your argument is your opinion. One that can be surely backed
>by many stats from many companies making money off that particular
>model. And those stats also show it doesn't work consistently. Why not
>try something different? I am presenting a different model is all.
>Sorry you don't like it. It works for others that have tried.

Yet again, this was the purpose of my example.  What you consider "brainwashing" I view as "insight," which I believe is evident by my use of an example where I already calculated your responses beforehand. 

The impact of Slammer proved the state of system security at the time in a definitive manner.  No theory, not "what would have happened if your model was in place," and how basic principles of least privilege and security in depth were not applied.   While it doesn't take an Einstein to predict the obvious (oh, btw, your relativity example was a complete fail) I would like to point out statements of security in depth here:
http://www.securityfocus.com/columnists/174
- and where I not only predicted slammer and warned against it before writing the article, but covered your "new" model about 8 years ago (even though I'm "brainwashed") here:
http://www.securityfocus.com/columnists/139

You might offer models based on presumed benefits with inferred value unsubstantiated by research or cost analysis, but I have illustrated a real-life, what-actually-happened, non-theoretical, KNOWN vulnerability that had a massive impact on the global internet.  And to prevent it, all someone had to do was to install the patch.

For what my position is worth, I totally support you and your research organization pushing the age-old model of security in depth and least privilege, but I would recommend that you do so with the "don't patch" nonsense removed.

I'm more than happy to continue this exchange, but please excuse me if I fail to reply to responses empty of substance. 

So, "ttyl," or "thanks, it's been interesting."  

t

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ