Dailydave mailing list archives
Re: Twitter: (verb) to fail under exponential growth
From: "Lance M. Havok" <lmh () info-pull com>
Date: Mon, 30 Jun 2008 20:52:57 +0200
Hi Mr. Maiffret, Nice to meet you, I guess. I was already pretty much off from the whole computer security thing, and I was packing my stuff for going on a legendary pilgrimage to the beach for partying hard, wasting myself and possibly destroy my last few sane brain cells with some drugs and booze. Therefore, before I become incurably clueless and insane, I decided to reply to this message. I still have a good bye letter pending and a last bang to shut the door behind forever. So here we go... yeah dude! On Mon, Jun 30, 2008 at 2:41 AM, Marc Maiffret <mmaiffret () inveniosecurity com> wrote:
-----Original Message----- From: Dave Aitel Talking with my British friends lately they're all quite obsessed with trash. For good reason, I assume, since they now have strict recycling<snip> I am not sure what unsustainable growth in human garbage or number of virus signatures, really has to do with security tools not taking the extra step in automation. Vulnerability Assessment, and Code Bugs do not create an exponential amount of findings but rather a steady stream, mileage may vary. Some could argue they are exponential in their databases of things to scan for but that is not true with code bugs and in the case of VA typically there is a lot of superseded patches where you are looking for the latest rollup rather than the 100 bugs that led up to it. But I'm digressing...
Every patch once in a while introduces another hundred bugs. And people still have to care about patching bugs they consider 'unimportant'.
Automation can be a great thing or it can be a bane. To many times these days technology caters to laziness or as Band-Aids to human stupidity like the difference between side airbags and cars that can parallel park themselves.
The complexity in security is not from any complexity in technology but the complexity in motivating people to truly care about security and act accordingly. Non-accidental Murder by Technology will help speed peoples thinking along.
Why should we care about security anyway? Security these days is becoming a matter of crowd control, nothing else. Normal people don't give a shit about the details or whatever other cranky technology affecting their security. Technology is the new form of slavery. The more connected you are, the more control others can exercise on yourself. I was reading an interview done by Hubbard's (the Scientology founder) son, and he basically said something alas: "Scientology counseling revolves around your sexual life. If you know every sexual detail, dirty deed, desire and craving of an individual, you control his life." Technology is pretty much becoming the new cancer of nowadays society. Security in technology is just an accident. We are hyper-connecting ourselves, everything is getting networked. From phones to fridges, to dildos, anything. You are broadcasting your whole life, and nobody really cares about it until they want to steal your bank information. This whole new thing about technology is that it makes you and me, the average random idiot on Earth, feel like we are someone special. Goddammit, there are more than 6k million people in this planet. Illusion of self-importance. Might make you feel good and fuzzy, but it's freaking non-existent. You won't achieve enlightenment in your life while blogging about your last trip to Las Vegas. No fucking way. I would pay to see Nedd Ludd brought back to these days.
Companies already have to manage everything so they will have to deal with scale either way. Maybe BindView does not scale (I don't know) but there are companies in the world that manage half million or more windows systems centrally, including patching, and they do an extremely good job of it. As you seem passionate on the subject I cannot help but ask, When is Canvas coming out with a feature to automatically push patches for vulnerabilities it uses to own a system and how will you handle zeroday? :-)
You miss the point about CANVAS. It's an offensive technology. It's not supposed to defend you against anything. It simply provides an efficient way to have a real perspective of how clueless your network security people are, and how you should be moving from Apache/PHP to IIS/ASP.NET. If you don't like that, go develop a plugin and plug it into the framework. The point here is that the whole industry and the technologies developed by people working at it, pretend to be defensive. They pretend like if by investing a crap load of money on a super advanced IDS megasystem of anti-hacker nanotechnology, you could actually prevent your employees from downloading child pornography, suffering targeted attacks via Office documents, leak information via P2P software, etc. The same goes for antiviruses, for vulnerability assessment, etc. There are a whole helluva lot of smart asses out there who can audit your code and still miss incredibly stupid shit. How do you like that? And you are paying 2k bucks a day for each code-leaking auditing minion. The only technology that has actually worked overtime is grsecurity and watch out for the imitators out there. Brad did an excellent job at freely licensing it. You know what, I was gonna work on a BSD-licensed grsec-like security patch for NetBSD. I would hope to have it promptly stolen by Apple (since I was going to use the kauth subsystem, they wouldn't need much integration work). Why? Because the still emerging market for OS X security would be pointless afterwards. Maybe some journalist would still pick random remote root bug news from random security vendors. So what. How did we end up with OS X security becoming a mainstream interest for the security industry? Sigh. No matter how many band aids and koolaids we take, security doesn't exist. Enough said. Stop making a business of defensive security technology that doesn't work. Go buy CANVAS (no, seriously, do it, it's like Metasploit but for professionals, and you will see a grasp of its potential). - Lance. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Twitter: (verb) to fail under exponential growth Dave Aitel (Jun 29)
- Re: Twitter: (verb) to fail under exponential growth Chris Eng (Jun 29)
- Re: Twitter: (verb) to fail under exponential growth Adrien Krunch Kunysz (Jun 29)
- Re: Twitter: (verb) to fail under exponential growth Marc Maiffret (Jun 30)
- Re: Twitter: (verb) to fail under exponential growth Lance M. Havok (Jun 30)