News, dumbug, prediction rebuttals.

[Dave Aitel <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.immunityinc.com/news-latest.shtml now has links to an
analyst whitepaper on Immunity and the market in general.

http://www.immunityinc.com/downloads/dumbug_good.tgz <--updated and
documented version of FX's dumbug that crashes less (for me, YMMV).
All sorts of binaries are included, so you'll have an easier time
compiling it. Some documentation added to files where I felt the C++
code was confusing.

Thomas Ptacek posted his predictions for next year, and here's my
rebuttal, Motley Fool's style. Statements in triple-quotes are his.

"""

   1.

      Side-Channel and Timing Attacks Go Mainstream

      The prediction I am least qualified to make, but most interested
      in. Remote cache timing
      <http://cr.yp.to/antiforgery/cachetiming-20050414.pdf>, local
      cache timing, HTT

<http://www.sockpuppet.org/tqbf/log/2005/05/cpu-caches-threat-or-menace_18.html>,
      virtualization, distributed side-channel analysis
      <http://www.cryptography.com/resources/whitepapers/DPA.html>. To
      paraphrase a friend who knows the space better than me: "The 10
      people in the world who actually spent any time thinking about
      this had no access to a [useful] side channel... other than
      Bernstein, no public crypto projects are doing anything about
      this in a systematic way". We're approaching a point where
      localhost "nobody" will equate to key recovery.
      """


1. Local nobody is equivelent to local root. This has historically
been true for every OS ever made, is still true, and will always be
true. And tar cvzf /etc/sshd/* is faster and easier than doing
impossibly unreliable timing attacks against crypto.


"""
<http://addxorrol.blogspot.com/2005/12/microsoft-is-moving-gui-code-back-out.html>
A Windows Vulnerability Drought
<http://addxorrol.blogspot.com/2005/12/microsoft-is-moving-gui-code-back-out.html>

Take one of the smartest companies in technology, pump an apocryphal
billion dollars into security, and nearly monopolize the best secure
coding talent on the market, and you will get results.

"""

2. My prediction: No windows vulnerability drought. Something I
realized when I was finally forced to switch over to Fedora Core 2 for
security reasons was that XP SP2 solved the problem with people
getting owned every time they connected their computer to the
Internet. But it didn't solve the problem of people getting owned
every time they used an application on their computer. And Windows
Servers, while not as vulnerable as they used to be, are still ownable
by people who care. A real drought is waiting on wide deployment of
hardware that supports the NX bit, which is...not next year.

Essentially, Microsoft didn't spend nearly enough money on security
(hence all those billions in the bank), and didn't follow the Open
Source community's innovations closely enough. And the architecture is
still a mess...I don't see a drought in the near future at all. NX +
Vista and then...maybe. Even that just adds a bit of expense for those
of us who have a Sinan Eren and Nicolas Waisman on staff .

"""
A Credible Open-Source SIM
There's about $100MM spent annually on products that manage and
correlate logs. Guess what? None of it is hard to do. The underlying
tools are there. Customers know how to do this better than the vendors
do. Expect a mainstream open-source combination of Argus
<http://www.qosient.com/argus/> and Sguil
<http://sguil.sourceforge.net/>to own the security management
conversation next year.

"""

3. My prediction: No credible open source SIM (aka, log aggregator).
Boring work gets done by corporations, and that's that. Not to mention
the impossibly high barrier to market of having to purchase and
maintain all the random devices that generate logs.

Anyways, as always, those are only opinions. I guess we'll find out
next year. :>

- - -dave
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDqcaNB8JNm+PA+iURAhiZAJ9s4lAnI3K8fxZ+7JeMEMN7EzDYiwCg8RwL
TqMaMMXivMUoe33Cd7b7iT4=
=pLn9
- -----END PGP SIGNATURE-----


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFDqcqQB8JNm+PA+iURAqSsAJ4+/OU4eNWWSzWdn1E+Kg7lnDrVWwCgqUNK
D+WwjzkOeFrc0u97qrELvI4=
=IFRN
-----END PGP SIGNATURE-----