Re: Re: Hacking's American as Apple Cider

[byte_jump <bytejump () gmail com>]

On 9/23/05, I)ruid <druid () caughq org> wrote:
> There is a second aspect that I feel can be undeniably classified as
> "hacking" and which I personally feel is very, very cool.  It's called
> cryptanalysis, which is essentially developing methods of breaking
> cryptography.  I don't see how you can classify it as anything but
> "hacking", and without cryptanalysis you cannot prove the strength of
> your cryptography or the protection it provides.


I don't think you have proven the strength of your cryptography
through cryptanalysis. You have merely demonstrated that the
cryptographic mechanism you are analysing resists _your_ attacks.

In my opinion, this is more analogous to penetration testing or
application security testing. You don't have any real measure of the
_absolute_ strength of what you are testing, only its _relative_
strength compared to your attacks. In my case (most list readers are
likely in a more advantagous situation), there are myriads of folks
out there smarter, brighter, more clever, and more innovative than I
am, so I assume that my testing or analysis is pretty limited in its
usefulness. :-)

Without speaking for Marcus, but judging from what I perceive him to
be saying, it appears that this is part of the reason why Marcus has
disdain for shellcoding classes, hacking classes, and other hacking
how-to classes/books. They don't really offer any sort of real,
measurable security because you can't prove that a system is
invulnerable by attacking it. It is possible that someone smarter than
you has figured out a better way to attack that system and has been
successful in exploiting it (a so-called "0day"), in which case your
testing and methodology have possibly led you to a false conclusion.
On the other hand, the person teaching or writing about "hacking"
gains rockstar status and makes a bunch of money without measurably
improving security but rather perpetuating the current system. They
also have helped to enable folks who may not be as scrupulous as they
are. The system looks like this:

Company makes promises to Wall Street -> Company rushes product out
the door to satisfy Wall Street -> "Vulnerability researchers" find
vulnerabilities in company's product -> Company issues patch ->
"Security administrators" rush to apply patches -> Loop

Security has not been improved by the above situation, the software
company has in effect outsourced their QA, and the software company
and vulnerability researcher have been enriched, which is why I think
Marcus disapproves of vulnerability research.

Vulnerability researchers are a lot like Jesse Jackson, who has no
interest in resolving so-called "race relations" as long as he
enriches himself off of the "problems" in those relations. :-)

I think there is a balance though, because it is not possible to build
secure defenses without studying how those defenses could potentially
be breached. I do not think there is anything wrong with vulnerability
research, cryptanalysis, etc. Even in military analysis time is spent
studying the potential ways your enemy may breach your defenses.
Somebody, somewhere, sometime, was the first person to be flanked in
battle. They were decimated and everyone else took note: Do not let
your enemy breach your flanks.

What I would like to know, however, is whether the current
vulnerability research has pressured companies to make substantive
changes to improve their security rather than just get on the patch
treadmill. Windows XP SP2 seems to be an example of this. Anyone have
any insight into this?

Thanks.