Dailydave mailing list archives
Re: With great responsibility comes great power.
From: "Lance M. Havok (LMH)" <lmh () info-pull com>
Date: Sat, 30 Jun 2007 13:26:17 -0700
On 6/30/07, Ari Takanen <ari.takanen () codenomicon com> wrote:
One could even take this further and say: Identify all critical systems (network equipment, operating systems, server software, client software, SCADA systems, and DCS systems), and test them for previously unknown security vulnerabilities using all possible means.
The question is, you test them with Codenomicon, beStorm, .... or just ask Cisco for some shell scripts piping netcat? After all, PROTOS had to re implement it in Java.
* defense capability: how many vulnerabilities (known or unknown) you have in your systems (estimate metric)
Did you mean DEFENSICS?
* threat: how many attack programs against those the opponent has (estimate metric)
How are you supposed to know the weapons of the enemy if you don't even know yours?
Fix the flaws you have, and you are secure. Do not fix the flaws that the opponent has, and you have ammunition. The strength has nothing to do with the size of the budget. Unfortunately today you do not need to spend any resources to have a cyberwar capability. Attacks are freely available, and most defenses are down.
DEFENSICS are not down as far as we know, they are up at http://www.codenomicon.com/products/
The greatest weakness today is that nobody is interested in testing the defense capability. If I showed a SCADA vendor a bunch of minus-infinity-day (well, it is not a zero-day if nobody but me knows about it) flaws they asked me if their customers knew about these flaws. You know what happens if I said their customers will never know about those flaws. That was several years ago, and the flaws are still there, waiting for their adversaries to find them.
Great sounding words there. Adversaries. Greatest weakness. Will never know. Those flaws. Several years ago. Still there. Waiting. We bet this doesn't even rate for PG-13. You are so creepy! Are you writing a remake of 'Gladiator'? Or this is another sequel for a Mel Gibson movie? QAPLA!
Eliminating public disclosure in one way or the other would change the landscape significantly! People would have to find their own vulnerabilities to be able to exploit them.
We have to agree with you on this one. This could remind some people about that wonderful tale, of a guy who after threatening to release details on 'the Interwebs Apocalypse' (those Cisco 0days are worth more than you get with that hacker organ trafficking service, Mr. Maynor) became unemployed. Many individuals believe in the conspiracy (otherwise known as 'Vendor Propaganda') theory: it was a successful smear campaign for SSI and the infamous conference holding the much maligned talk. It was nothing but a clever strategy to bring some light to those flackey accounting papers. Later he joined, surprisingly enough, a network products related manufacturer (sponsor of some security conferences too, obviously). Finally, in a completely unexpected move, leaked the details of an already known exploit to an overpriced, hip-looking hardware and (almost) software company. Again, proving the theory of him being nothing but a poor tool. Among himself, quite some people already know the reasons that prove why Mr. Tool either leaked the information after hearing bummers around the scene (as an illegal immigrant, obviously) or he definitely doesn't know how to read code (and has a severe lack of context view / perspective when performing this task). We had to clean our tears while writing this; therefore, we politely request Mr. Tool to stop being such a Security Pop Star or we'll shave his head like we did to Britney Spears. Your days are long time gone already, get something new to play with and let some other people do real work, or eat some boiled crows. In other news we would like to note that the rumors about the revelation of the identity of the infamous 'LMH' (allegedly writing this e-mail, although insider information leads to think there might be a group of crack heads behind this identity) are really hopeless. Lance M. Havok is a happy resident of Poland. And all these scene gossip whores need to get an Xbox 360 and play some 3D Stunning Tetris. PS: Joseph Minger (Chief Hacking Officer of Propaganda, CHOP) on this e-mail: "As we have done all the PR and publicity work for Codenomicon already, would they stop filling Daily Dave with that BS-ICS? For Christ shake." -- Dave, please consider refinement of the moderation procedures, they are being state-fully fuzzed by loonies from the outer space. Also fix any selling erors and mx the smothie to prevent Mr. Maynor from /unmask.py'ing us. Maynor, we are still waiting for that Mac Mini, it seems like it's still sitting on your ISS office (buddy, that screenshot is dated!). Next time you want to know the physical location of someone else, you better improve those social engineering skills. Being a pathological liar ad sucking at it is none of them. Feel free to contact the guy you tried to SE for pickup arrangement. Signed, Gene Simmons (who slept with more than 4300 desperate security industry pirates). Men in waiting. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: With great responsibility comes great power., (continued)
- Re: With great responsibility comes great power. Security Guy (Jun 25)
- Re: With great responsibility comes great power. Falcor (Jun 25)
- Re: With great responsibility comes great power. John Smith (Jun 25)
- Message not available
- Fwd: With great responsibility comes great power. matthew wollenweber (Jun 26)
- Re: With great responsibility comes great power. Florian Weimer (Jun 28)
- Re: With great responsibility comes great power. Halvar Flake (Jun 28)
- Re: With great responsibility comes great power. Gadi Evron (Jun 30)
- Re: With great responsibility comes great power. Lance M. Havok (LMH) (Jun 30)