Re: Faster, smashter.

[Dragos Ruiu <dr () kyx net>]

On 8-Dec-08, at 11:38 AM, Fisher, Dennis wrote:

> I wrote a column last week along the same lines as what Dave has to  
> say.
> Not coincidentally, the column was the result of a discussion with  
> Dave
> and some others a couple of weeks ago. Dave suggested I post it here.
> http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci13408
> 84,00.html

Dennis, go ahead and stop patching, but don't expect us all to  
follow.... :-P

Also, I've noted a big discrepancy between the talk and bragging about  
having unpublished vulns
(let's stop using that silly now meaningless 0day term shall we :) and  
the actual vulnerabilities and
their severities that people have access to. How many times have I  
seen speakers at conferences
talk up the FUD about some vulnerability that turned out to totally  
fizzle in practice? Uh, lots...

IMHO the actual problems we see from unpublished vulnerabilities are  
few and far between. Fortunately,
they aren't quite so common that they are thrown around carelessly -  
because to use an unpublished
vuln is to run the risk of losing it. :-)

When a new unpublished vulnerability is discovered in use it's usually  
big news (points to MS08-067).
It also seems most of the malware can do just fine using the same old  
low hanging fruit they've always accessed.

I would also note that it's misleading to say you should throw in the  
towel because one unpublished vuln
can pop your box.  There is more to it than that if you are doing your  
job right. Can they pop it without
being discovered... for how long, and how often? And how good are your  
backups :-P ?

So, I'm not with you in declaring efforts at security a waste of time.  
As a matter of fact I completely
disagree with you, and think we have been making some slow  
progress.... note for instance the
shift to low level vulns and application/client software as the OSes  
and network stacks get
(slowly) hardened. These days remote pre-auth anything is a big deal -  
that certainly wasn't
the case back when the one line patch to samba to make it an exploit  
tool for that SMB flaw
was first circulating. So let's give those security teams at least a  
few deserved pats on the back
instead of jumping on the "OMG we're doomed bandwagon." There is still  
a lot of work to
be done, but throwing in the towel or trying to get others to isn't  
going to get any of it done.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada  March 16-20 2009  http://cansecwest.com
London, U.K. May 27/28 2009 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave