Full Disclosure mailing list archives
A Few Realities About Security Re: Microsoft Cries Wolf ( again )
From: <secresearcher () hushmail com>
Date: Wed, 2 Jul 2003 12:46:29 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reality. I have a critical vulnerability with Microsoft right now. Only their people and myself - and a few other researchers at my company - know about it. This affects every Windows OS across the board. You can be with the US government... or with Saudi Arabia's government -- if you use Windows, I can hack your system. Microsoft should give me a badge saying, "This man has the right to know about a backdoor in Window's OS bigger than what the NSA could ever hope to have." They should put on the front page of their website my picture, saying, "While we fix this bug, this man knows how to get into your systems." But, nobody ever thinks about this. The media doesn't understand this angle. Perhaps no one should. I am trustworthy. You can trust me not to tell anyone the specifics of these bugs. Not even my best friends. Not even my wife. For three months - the minimum amount of time Microsoft has taken to fix my bugs - nor for six months... the longest they have taken. Yes, though diplomats and bank executives are always prone to my critical bugs... I won't ever use my bugs on you. I don't get paid too much, but luckily for you I am a solid American, a good Christian. I am a professional. I have seen top military advisors blurt out secrets in Vanity Fair -- but, me, I know all about keeping secrets. I think these guys are amateurs. I am not telling you where I work, what bugs I find, or anything of this nature. I know this. Because, I am a professional. I have great experience with secrets. I respect secrets. I also realize reader's will understand my sarcasm here. Yes, everything I have said is true. Indeed, only someone like me would be so astounded that Microsoft so trusts me -- because they do not know me. And, what about every other security researcher and every other security company? I read about how guys in the security industry get various rights to handle varying degrees of classified material. Yet, I know that the security bugs I deal with - security bugs my co-workers deal with - these things could be used to hack into any system anywhere. Heck, the government itself should finance us, if only to ensure we could afford the kind of physical and network security we should have here -- massive metal doors, security cameras, on presence security guards, counter-surveillance teams, etc, etc. What if terrorists broke in and got our archive of zero day? What if North Korea did this? What if Cuba did this? What if the Russian mafia did this? People that don't find critical security bugs in 100 million plus systems don't think on this. People that do, do do this. Even those that are less politically aware than myself. Now, what if someone with more loose lips disclosed such a bug on IRC? What if they told a hacker friend whom had an issue with who knows what government or company and did some worm? Schmidt was absolutely right (and it is our advice he listened to) -- zero day viruses are a massive threat. We have been going on borrowed time. Understand, these renegade virus writers that have also been able to find zero day are not the top of the line people. They are the first of an emerging breed of attackers. Finding serious security vulnerabilities in 100 million plus systems may not be getting easier -- but more and more people are learning how to do this. Combining that knowledge with the ability to code a nasty worm or trojan may not be getting easier -- but sooner or later, you will find rogue nations, corporations, and organized crime capable of doing this. We do not get paid very much. Not every security researcher has such morals as I do, nor as my co-workers do. Talent and morals do not always go hand in hand. Applications which truly protect against zero day are extremely rare. Systrace does this effectively -- but how many admins use this, how many use it effectively? SecureEXE, how many use this? Entercept? Trivial to get around. Firewalls like Zone Alarm which attempt to do proper application gating that protects against unknown trojans based on the same kinds of concepts as systrace uses? These are trivial to get around. Zone Labs recently replied that these attacks are not trivial. They are correct, only in the sense that they assume one person won't make the trojan and another use it. It only requires one public release -- and a bunch of script kiddies hex editing it so it bypasses signature based AV for a problem to result. Much of these problems are due to incompentence, poor funding, and security companies that mislead the public. Poor funding is probably the biggest problem. We security researchers get little respect. Look on monster.com or dice.com for how many companies are hiring security researchers? Security enabled QA people? It is dismal. If you want to get a job -- get your CISSP and play dumb. If you want to find companies hiring for code reviewers? Forget about it. Not happening. This does not mean I support the wannabe "black hats" posting here, debating on IRC, playing stupid poseur games. That whole scene is fake, a pose. It is disgusting. These guys don't know a "black hat" from the tooth fairy. No, "black hats" hack for money. People should realize this. Law enforcement realize that people are generally bad -- but law enforcement personell of any caliber are far removed from computer security. Indeed, there is no law enforcement branch for the Internet. You get hacked, it has to be over multiple thousands of dollars of damage, then the FBI might be interested. The FBI. That is like using a sledgehammer to type on your keyboard. They are underfunded, under experienced, undermanned for such tasks. If you see a lot of busts -- that is high profile gimmickery. It is a sham. It makes law makers blind to the realities. It is as unjust as the fact that RICO laws weren't used against the Mafia for over a decade. It is as unjust as the fact that Hoover claimed for decades "there is no mafia". And, let's not even contemplate the rest of the world. Hopefully, this little speech was enlightening to some people. Some, I am sure, will be arrogant and not believe it. Such people have the reasoning faculties of a child. Not surprising, since it is extremely rare that security researchers actually read books on subjects other than on security. Look at slashdot comments. They are morons outside of tech issues (indeed, most are morons even inside tech issues). Anonymous Security Researcher -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj8DNeIACgkQN5cl9WiqHpwhsgCgpE86jM14n6aMsjTJzDS8kth90ScA n0bMzSMfanEEqUMVi1yqBDEbKPs7 =azBg -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- A Few Realities About Security Re: Microsoft Cries Wolf ( again ) secresearcher (Jul 02)
- <Possible follow-ups>
- RE: A Few Realities About Security Re: Microsoft Cries Wolf ( again ) infosysec (Jul 03)
- Re: A Few Realities About Security Re: Microsoft Cries Wolf ( again ) Justin Shin (Jul 03)
- Re: A Few Realities About Security Re: Microsoft Cries Wolf ( again ) Gordon McKillop (Jul 03)
- Re: A Few Realities About Security Re: Microsoft Cries Wolf ( again ) Justin Shin (Jul 03)
- Re: A Few Realities About Security Re: Microsoft Cries Wolf ( again ) madsaxon (Jul 03)
- Re: A Few Realities About Security Re: Microsoft Cries Wolf ( again ) Justin Shin (Jul 03)