Dailydave mailing list archives
Re: oooh, isc2 gets p0wned
From: Dave Aitel <dave () immunitysec com>
Date: Sun, 06 Jun 2004 19:39:39 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Halvar Flake wrote: | Hey all, | <snip> | | In the end, fsck em :-) I mean, more or less all interesting bug | searching is done by _individuals_ -- some of them happen to work | for companies, but in general, most of the underwriters of OIS are | not very active bughunters. Basically, what we see with OIS is | security companies selling to MS the lie that they are the ones | doing all the "research", and MS paying money to them to get them | to play by their rules. As the true bughunting happens outside of | this circle, I feel that OIS is not much to worry about :-) | | Cheers, Halvar | Well, I continue to worry about OIS trying to cannonicalize their views (i.e. Microsoft's views) in some form of governmental agency, which is what Weld Pond went to talk to Congress to lobby for, and if you read a few of the things on their website, they are subtly and not so subtly suggesting that a government CERT-like organization, backed by the power of law, would be a good thing. I.E. They want to make it illegal for researchers to report on vulnerabilities outside of their framework. Now, that these government agencies are falling for it is a no-brainer, since money talks, and as individuals (or even tiny companies) we don't have much of a voice. I remember reading one of the other "Cybersecurity" papers that came out from a new DHS agency which had plenty of references to Gary McGraw's "work", which was funny, because Gary McGraw hasn't demonstrated that he knows a harp from a handbasket with regards to security. Oh, I found out just now that he helped write it. That would explain it. http://www.eweek.com/article2/0,1759,1571986,00.asp . They also quote the "research" that @stake did to try to prove you should hire them during ALL PHASES of the software development lifecycle. http://www.cyberpartnership.org/init-soft.html is the source for the original paper I was recalling. I don't see an HTML or OpenOffice version of it. It really bugs me when people use references [McGraw, 1999-2004] to indicate that something they are writing has some basis in science, when in fact, they're really just making up some derivative, often self serving, opinions, possibly backed up by baseless and misleading statistics. Often the trick is to surround your opinions with other opinions everyone shares. Like the following example: The Task Force found the following things would help software security and should be sponsored by the Department of Homeland Security: o Encourage organizations to adapt practices which remove security problems from any software they write o Pay someone who clearly has no clue which way is up to survey methods for designing security into software (as long as they have a Ph.D. Hey, *I* have a Ph.D.!) (I.E. "Encourage and Fund Research" - see p.72 of the text. This was obviously not the original way it was presented. :>) o Request that all people who write software get security education (also see p.88 for more examples of this fascinating recommendation style) If I seem down on the idea that the DHS is going to "fund research" into software security, it's because it annoys me that the McGraw's of the world are able to dictate public policy (aka, your money) and don't have a track record of doing anything interesting. Why aren't they paying the 50K a year or so it would take to fund GRSECURITY instead, which has proven results and is done by an undergrad in his spare time? Even Immunity does our part to help Brad Spengler eat. This Cybersecurity task force could do a whole lot better by funding one Brad, than by hiring 3 Gary's. At my calculations, using the value they provide for one PhD. (50 Million Dollars per Year in overhead, and 250K in salary - see page 21), that's a fantastic savings of ... a boatload of cash! I'm a little off the subject here, but I guess my point is that these organizations are a ton better at lobbying than individual researchers, and laws which you would think were insane (DMCA, Patent rules, etc) are in their best interests and they're fighting hard for them. I want to see someone realize that it's a thousand times more cost effective for a large software company to just create better patch creation and delivery methods than for them to do any but the most basic (SPIKE, etc) security work ahead of time. You won' t see THAT coming out of any security vendor, even though it's most likely true. I agree though - 90% of the interesting work in this field is done by people who don't publish it publicly, and 10% is done by people who do publish it, but aren't affiliated to a company known for doing "security research". - -dave (see, and there I go again with statistics drawn from who-knows-what source. Now someone can reference this email in a white paper, and then a reporter can read that PDF and claim it as fact, and it becomes fact. Note the random assertations as to how individuals are comfortable working on page 123 of the report that references OIS. "Success will have been achieved if a commitment to the [OIS] guidelines becomes a criteria for vendor selection in the marketplace." An optimist would say "This means that people won't buy BobSoft software because BobSoft doesn't follow OIS guidelines." But in reality, this is Microsoft telling the budding Bindview, Foundstone and @stakes of the world that they better play by the rules if they want the cash. And it's OUR GOVERNMENT sponsoring this free marketing campaign for them. Disgusting. Their next step is to say "Market forces have failed - we need government mandating of OIS rules!") P.S. VERDE is not listed in the "Attack Patterns" McGraw is so fond of. A lot of Immunity's VSC bugs aren't. P.P.S. Honestly, this money is better spent hiring people who speak Arabic or a few more armored humvees, if what we're trying to do is have homeland security. The people who own all these software and security companies are already rich, and don't need any public dollars. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAw6s7zOrqAtg8JS8RAhp+AJ9H6I31troZX4Esk7c0IboVHuVPjgCgstOB twgZSV7C9NYZ9AfoMjT/Xhw= =1SMy -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- Re: oooh, isc2 gets p0wned ned (Jun 07)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned Halvar Flake (Jun 06)
- Re: oooh, isc2 gets p0wned Dave Aitel (Jun 06)
- Re: oooh, isc2 gets p0wned H D Moore (Jun 06)
- <Possible follow-ups>
- RE: oooh, isc2 gets p0wned Thor Larholm (Jun 07)