Re: With great responsibility comes great power.

["Lance M. Havok (LMH)" <lmh () info-pull com>]

On 6/30/07, Ari Takanen <ari.takanen () codenomicon com> wrote:
> One could even take this further and say: Identify all critical
> systems (network equipment, operating systems, server software, client
> software, SCADA systems, and DCS systems), and test them for
> previously unknown security vulnerabilities using all possible
> means.

The question is, you test them with Codenomicon, beStorm, .... or just
ask Cisco for some shell scripts piping netcat? After all, PROTOS had
to re implement it in Java.

> * defense capability: how many vulnerabilities (known or unknown) you
>   have in your systems (estimate metric)

Did you mean DEFENSICS?

> * threat: how many attack programs against those the opponent has
>   (estimate metric)

How are you supposed to know the weapons of the enemy if you don't
even know yours?

> Fix the flaws you have, and you are secure. Do not fix the flaws that
> the opponent has, and you have ammunition. The strength has nothing to
> do with the size of the budget. Unfortunately today you do not need to
> spend any resources to have a cyberwar capability. Attacks are freely
> available, and most defenses are down.

DEFENSICS are not down as far as we know, they are up at
http://www.codenomicon.com/products/

> The greatest weakness today is that nobody is interested in testing
> the defense capability. If I showed a SCADA vendor a bunch of
> minus-infinity-day (well, it is not a zero-day if nobody but me knows
> about it) flaws they asked me if their customers knew about these
> flaws. You know what happens if I said their customers will never know
> about those flaws. That was several years ago, and the flaws are still
> there, waiting for their adversaries to find them.

Great sounding words there. Adversaries. Greatest weakness. Will never
know. Those flaws. Several years ago. Still there. Waiting.

We bet this doesn't even rate for PG-13. You are so creepy! Are you
writing a remake of 'Gladiator'? Or this is another sequel for a Mel
Gibson movie? QAPLA!

> Eliminating public disclosure in one way or the
> other would change the landscape significantly! People would have to
> find their own vulnerabilities to be able to exploit them.

We have to agree with you on this one. This could remind some people
about that wonderful tale, of a guy who after threatening to release
details on 'the Interwebs Apocalypse' (those Cisco 0days are worth
more than you get with that hacker organ trafficking service, Mr.
Maynor) became unemployed. Many individuals believe in the conspiracy
(otherwise known as 'Vendor Propaganda') theory: it was a successful
smear campaign for SSI and the infamous conference holding the much
maligned talk. It was nothing but a clever strategy to bring some
light to those flackey accounting papers. Later he joined,
surprisingly enough, a network products related manufacturer (sponsor
of some security conferences too, obviously). Finally, in a completely
unexpected move, leaked the details of an already known exploit to an
overpriced, hip-looking hardware and (almost) software company. Again,
proving the theory of him being nothing but a poor tool.

Among himself, quite some people already know the reasons that prove
why Mr. Tool either leaked the information after hearing bummers
around the scene (as an illegal immigrant, obviously) or he definitely
doesn't know how to read code (and has a severe lack of context view /
perspective when performing this task). We had to clean our tears
while writing this; therefore, we politely request Mr. Tool to stop
being such a Security Pop Star or we'll shave his head like we did to
Britney Spears. Your days are long time gone already, get something
new to play with and let some other people do real work, or eat some
boiled crows.

In other news we would like to note that the rumors about the
revelation of the identity of the infamous 'LMH' (allegedly writing
this e-mail, although insider information leads to think there might
be a group of crack heads behind this identity) are really hopeless.
Lance M. Havok is a happy resident of Poland. And all these scene
gossip whores need to get an Xbox 360 and play some 3D Stunning
Tetris.

PS: Joseph Minger (Chief Hacking Officer of Propaganda, CHOP) on this
e-mail: "As we have done all the PR and publicity work for Codenomicon
already, would they stop filling Daily Dave with that BS-ICS? For
Christ shake." -- Dave, please consider refinement of the moderation
procedures, they are being state-fully fuzzed by loonies from the
outer space. Also fix any selling erors and mx the smothie to prevent
Mr. Maynor from /unmask.py'ing us. Maynor, we are still waiting for
that Mac Mini, it seems like it's still sitting on your ISS office
(buddy, that screenshot is dated!). Next time you want to know the
physical location of someone else, you better improve those social
engineering skills. Being a pathological liar ad sucking at it is none
of them. Feel free to contact the guy you tried to SE for pickup
arrangement.

 Signed, Gene Simmons (who slept with more than 4300 desperate
security industry pirates). Men in waiting.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave