Full Disclosure mailing list archives
RE: RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others)
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Sat, 23 Nov 2002 10:58:06 -0600
-----Original Message----- From: phc () hushmail com [mailto:phc () hushmail com] Sent: Friday, November 22, 2002 9:56 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) [PHC] - ------------------------------------------------------------------------ ------- %Point 1% You agree this is a given. - ------------------------------------------------------------------------ ------- [paul] Of course, but to clarify, it *is* possible to raise the bar high enough that only the truly determined can find a way in. It's analagous to the physical world. You can put up all the defenses you want, but if someone is willing to take the risks, they can get past those defenses and into the building. [paul - previous] Do you *really* expect intelligent people to believe that the "Trustworthy Computing" initiative that Microsoft has undertaken would have *ever* happened without the steady stream of embarrassing disclosures, culminating in the awful buffer overflow in UPnP, that led up to that announcement? Frankly, that stretches credulity to the breaking point! [PHC] - ------------------------------------------------------------------------ -------- Granted, the security community may have increased vendor awareness, but awareness alone does not lead to security. Even people who tug to security 24/7, like Theo de Raadt, have failed miserably. ------------------------------------------------------------------------ ---------- [paul] You have now conceded that the security industry has value. The problem is that you paint everything in black and white. No one would dispute that there are people *in any industry* who are in it simply for self-aggrandisement. That's human nature. But you attack the *entire* industry for that, when in fact there are some really good and dedicated people in security. Marcus Ranum is one, and you clearly admire him. So why publicly condemn the entire industry when you don't believe that yourself? Doesn't that make you just as hypocritical as the people you accuse of hypocrisy? Why not attack what you believe is wrong instead? You lose credibility when you make blanket condemnations. [PHC - previous] It's wrong to expect Microsoft to develop perfectly secure software, just like it's wrong to expect anyone else to be able to. Yet this doesn't stop the security industry banging on about it, contradicting their "there is no such thing as perfectly secure software." [paul] Actually, "banging on it" simply proves the maxim. Not only do they *say* there is no such thing as perfectly secure software, but they go ahead and prove it. For this they should be admired, not condemned, for they have not just postulated empty rhetoric. They have proven their point. [PHC] I'm sure you realize the argument is not about "what brings security," as absolutes are not possible, but "what brings a better level of security." [paul] Of course. [PHC] Based on the article mentioned in Sermon #3 and the articles of Marcus Ranum (both written by prominent 'whitehats', hence no ulterior 'blackhat motives'), non-disclosure leads to a better level of security in the short-term. Therefore, it remains only to be contested whether full disclosure leads to better security in the long-term. Since non-disclosure has a foundation in the short-term as being a workable solution, whilst full disclosure in the short-term is detrimental (a "necessary evil"), we feel that the burden of proof is on the security industry to tell us why full disclosure in the long-term will be any different to full disclosure in the short-term. We don't believe it will be; we believe this "necessary evil" in the short-term will only intensify as time goes by. We base this belief on the pattern that has evolved over the last decade during the Reign of Full Disclosure. Logical projection into the future tells us it will continue. We may be wrong, and we invite correction. - ------------------------------------------------------------------------ -------- [paul] OK, define "non disclosure". Exactly what is it that you are advocating? Can you provide a pointer to Marcus' article? [PHC] - ------------------------------------------------------------------------ -------- NON-DISCLOSURE ============== short-term - ---------- attackers: blackhats/professionals long-term - --------- attackers: blackhats/professionals FULL DISCLOSURE =============== short-term - ---------- attackers: blackhats/professionals attackers: inordinate number of scriptkids long-term - --------- attackers: blackhats/professionals (based on %Point 1%) *** Is this stage (full disclosure, long-term) even reached? And if so, what *** did it achieve that non-disclosure didn't, other than injecting scriptkids *** into the digital ecosystem, causing a greater number of admins headaches, *** and allowing the security industry to stuff their pockets with cash? - ------------------------------------------------------------------------ -------- [paul] Please define "non-disclosure". Are you saying that security professionals shouldn't try to find holes? Or are you saying they should notify the vendor, but never publicize the vulnerability? Sooner or later vulnerabilities will become public knowledge. Either a "blackhat" will talk or a professional whose equipment has been compromised will figure out why and notify the vendor. It's impossible to keep a secret when more than one person is involved, and *by definition* more than one person is involved when someone is hacking a network. You could argue about the *timing* of disclosures, but in practical application, there is no such thing as non-disclosure. At the very least admins are going to share their horror stories in an effort to figure out how to stop the attacks in the future. [PHC] - ------------------------------------------------------------------------ -------- Blackhats exist in both schemes. There's nothing we can do to stop them. It's just a question of which scheme brings subsidiary pains-in-the-ass and which doesn't. - ------------------------------------------------------------------------ -------- [paul] Actually, I think it's a case of chose your poison. As an admin, which do you prefer? The temporary pain of script kiddie attacks? Or the long term pain of blackhat attacks that you have no idea how to stop and no vendor patches to help you. [PHC] - ------------------------------------------------------------------------ -------- Success can never be reached, hence the security industry is bound to be unsuccessful in the long-term. Therefore, the other alternative may be more palatable. - ------------------------------------------------------------------------ -------- [paul] Again, you're trying to paint the world in black and white terms. It just doesn't work that way. You must be fairly young, because you're still very idealistic. [PHC] - ------------------------------------------------------------------------ -------- They have closed one single hole, which did what? Publicly announced the hole to the scriptkid population, allowing them to attack the greater majority of admins who aren't as diligant as you are, all in the name of a future Utopia that we have no reason to believe will even occur. Meanwhile, the blackhats carry on unhindered, due to their alleged resourcefulness, creativity, and persistance. So you've won the scriptkid-admin race yet again, but other admins might not be so lucky -- the greater number of admins, in fact. - ------------------------------------------------------------------------ -------- [paul] You yourself have already admitted that the security industry doesn't believe in the "utopia" that you deride. They publicly state that it's not possible to be 100% secure. So who is really being more unrealistic? You criticize them for admitting you can't have 100% security and then trying to *improve* security. Yet you advocate no improvement in security at all. Just surrender to the blackhats who will own you when they want to. This is a very self-centered approach to a problem that affects everyone in the world. [paul - previous] Try to understand the problem from the viewpoint of a network admin. Most could care less about the philsophical debates that surround these issues. Most don't want to learn to program, more than what is necessary to automate routine tasks. They don't want to master multiple disciplines *in addition to* their chosen profesion, and they don't want [PHC] - ------------------------------------------------------------------------ -------- We are advocating the removal of their need to deal with scriptkids. This should be far less taxing on their time and energy. - ------------------------------------------------------------------------ -------- Perhaps, but the long term effect might be even more deleterious. [PHC] - ------------------------------------------------------------------------ -------- We claim that it's impossible to completely secure software, by the admission of security professionals themselves, THEREFORE we accuse them of being money-mongering criminals (?) who know deep down that they're chasing the wind, securing nothing other than their employment status. - ------------------------------------------------------------------------ -------- [paul] You demand the impossible. You say, because the goal is unattainable we should not even try. This is a defeatist attitude at best. Regardless of how unattainable the goal may be, the effort is worthwhile because the end result is better than the present situation. [paul - previous] What I see you preaching for is for my network to remain vulnerable and compromised forever. That's not a goal I would work for. So why should I assist you in yours? [PHC] - ------------------------------------------------------------------------ -------- No, you agree by %Point 1% that it will always be insecure. So why not cut down on the number of people who can cause you grief? Full disclosure certainly doesn't do it, not with its "necessary evil." - ------------------------------------------------------------------------ -------- [paul] But you're not only advocating that we cut down on the number of attackers, you're advocating that we surrender to the skilled ones. Lay down and give up. If that were my attitude, I would not be worthy of the job I've been hired to do. Paul Schmehl (pauls () utdallas edu) TCS Department Coordinator University of Texas at Dallas http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) phc (Nov 22)
- <Possible follow-ups>
- RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) Schmehl, Paul L (Nov 22)
- RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) phc (Nov 22)
- Re: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) Euan Briggs (Nov 22)
- RE: RE: [PHC] Sermon #3 (w/ reply to Paul Schmehl & others) Schmehl, Paul L (Nov 23)