Dailydave mailing list archives
Re: Re: Hacking's American as Apple Cider
From: byte_jump <bytejump () gmail com>
Date: Fri, 23 Sep 2005 17:18:49 -0600
On 9/23/05, I)ruid <druid () caughq org> wrote:
There is a second aspect that I feel can be undeniably classified as "hacking" and which I personally feel is very, very cool. It's called cryptanalysis, which is essentially developing methods of breaking cryptography. I don't see how you can classify it as anything but "hacking", and without cryptanalysis you cannot prove the strength of your cryptography or the protection it provides.
I don't think you have proven the strength of your cryptography through cryptanalysis. You have merely demonstrated that the cryptographic mechanism you are analysing resists _your_ attacks. In my opinion, this is more analogous to penetration testing or application security testing. You don't have any real measure of the _absolute_ strength of what you are testing, only its _relative_ strength compared to your attacks. In my case (most list readers are likely in a more advantagous situation), there are myriads of folks out there smarter, brighter, more clever, and more innovative than I am, so I assume that my testing or analysis is pretty limited in its usefulness. :-) Without speaking for Marcus, but judging from what I perceive him to be saying, it appears that this is part of the reason why Marcus has disdain for shellcoding classes, hacking classes, and other hacking how-to classes/books. They don't really offer any sort of real, measurable security because you can't prove that a system is invulnerable by attacking it. It is possible that someone smarter than you has figured out a better way to attack that system and has been successful in exploiting it (a so-called "0day"), in which case your testing and methodology have possibly led you to a false conclusion. On the other hand, the person teaching or writing about "hacking" gains rockstar status and makes a bunch of money without measurably improving security but rather perpetuating the current system. They also have helped to enable folks who may not be as scrupulous as they are. The system looks like this: Company makes promises to Wall Street -> Company rushes product out the door to satisfy Wall Street -> "Vulnerability researchers" find vulnerabilities in company's product -> Company issues patch -> "Security administrators" rush to apply patches -> Loop Security has not been improved by the above situation, the software company has in effect outsourced their QA, and the software company and vulnerability researcher have been enriched, which is why I think Marcus disapproves of vulnerability research. Vulnerability researchers are a lot like Jesse Jackson, who has no interest in resolving so-called "race relations" as long as he enriches himself off of the "problems" in those relations. :-) I think there is a balance though, because it is not possible to build secure defenses without studying how those defenses could potentially be breached. I do not think there is anything wrong with vulnerability research, cryptanalysis, etc. Even in military analysis time is spent studying the potential ways your enemy may breach your defenses. Somebody, somewhere, sometime, was the first person to be flanked in battle. They were decimated and everyone else took note: Do not let your enemy breach your flanks. What I would like to know, however, is whether the current vulnerability research has pressured companies to make substantive changes to improve their security rather than just get on the patch treadmill. Windows XP SP2 seems to be an example of this. Anyone have any insight into this? Thanks.
Current thread:
- Re: Default Deny on Executables, (continued)
- Re: Default Deny on Executables Dave Aitel (Sep 14)
- Re: Default Deny on Executables Andrew R. Reiter (Sep 14)
- Re: Default Deny on Executables Joel Eriksson (Sep 14)
- Re: Default Deny on Executables Blue Boar (Sep 14)
- Re: Re: Hacking's American as Apple Cider Marcus J. Ranum (Sep 20)
- Re: Re: Hacking's American as Apple Cider Jason Syversen (Sep 20)
- Science? (WAS: Hacking's American as Apple Cider) Barrie Dempster (Sep 21)
- Re: Re: Hacking's American as Apple Cider pageexec (Sep 21)
- Re: Re: Hacking's American as Apple Cider Marcus J. Ranum (Sep 21)
- Re: Re: Hacking's American as Apple Cider I)ruid (Sep 23)
- Re: Re: Hacking's American as Apple Cider byte_jump (Sep 23)
- RE: Re: Hacking's American as Apple Cider Paul Melson (Sep 12)