Re: oooh, isc2 gets p0wned

[Dave Aitel <dave () immunitysec com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Halvar Flake wrote:

| Hey all,
|

<snip>

|
| In the end, fsck em :-) I mean, more or less all interesting bug
| searching is done by _individuals_ -- some of them happen to work
| for companies, but in general, most of the underwriters of OIS are
| not very active bughunters. Basically, what we see with OIS is
| security companies selling to MS the lie that they are the ones
| doing all the "research", and MS paying money to them to get them
| to play by their rules. As the true bughunting happens outside of
| this circle, I feel that OIS is not much to worry about :-)
|
| Cheers, Halvar
|
Well, I continue to worry about OIS trying to cannonicalize their
views (i.e. Microsoft's views) in some form of governmental agency,
which is what Weld Pond went to talk to Congress to lobby for, and if
you read a few of the things on their website, they are subtly and not
so subtly suggesting that a government CERT-like organization, backed
by the power of law, would be a good thing. I.E. They want to make it
illegal for researchers to report on vulnerabilities outside of their
framework.

Now, that these government agencies are falling for it is a
no-brainer, since money talks, and as individuals (or even tiny
companies) we don't have much of a voice. I remember reading one of
the other "Cybersecurity" papers that came out from a new DHS agency
which had plenty of references to Gary McGraw's "work", which was
funny, because Gary McGraw hasn't demonstrated that he knows a harp
from a handbasket with regards to security.

Oh, I found out just now that he helped write it. That would explain
it. http://www.eweek.com/article2/0,1759,1571986,00.asp . They also
quote the "research" that @stake  did to try to prove you should hire
them during ALL PHASES of the software development lifecycle.
http://www.cyberpartnership.org/init-soft.html is the source for the
original paper I was recalling. I don't see an HTML or OpenOffice
version of it.

It really bugs me when people use references [McGraw, 1999-2004] to
indicate that something they are writing has some basis in science,
when in fact, they're really just making up some derivative, often
self serving, opinions, possibly backed up by baseless and misleading
statistics. Often the trick is to surround your opinions with other
opinions everyone shares. Like the following example:

The Task Force found the following things would help software security
and should be sponsored by the Department of Homeland Security:
o Encourage organizations to adapt practices which remove security
problems from any software they write
o Pay someone who clearly has no clue which way is up to survey
methods for designing security into software (as long as they have a
Ph.D. Hey, *I* have a Ph.D.!) (I.E. "Encourage and Fund Research" -
see p.72 of the text. This was obviously not the original way it was
presented. :>)
o Request that all people who write software get security education
(also see p.88 for more examples of this fascinating recommendation style)

If I seem down on the idea that the DHS is going to "fund research"
into software security, it's because it annoys me that the McGraw's of
the world are able to dictate public policy (aka, your money) and
don't have a track record of doing anything interesting. Why aren't
they paying the 50K a year or so it would take to fund GRSECURITY
instead, which has proven results and is done by an undergrad in his
spare time? Even Immunity does our part to help Brad Spengler eat.

This Cybersecurity task force could do a whole lot better by funding
one Brad, than by hiring 3 Gary's. At my calculations, using the value
they provide for one PhD. (50 Million Dollars per Year in overhead,
and 250K in salary - see page 21), that's a fantastic savings of ... a
boatload of cash!

I'm a little off the subject here, but I guess my point is that these
organizations are a ton better at lobbying than individual
researchers, and laws which you would think were insane (DMCA, Patent
rules, etc) are in their best interests and they're fighting hard for
them.

I want to see someone realize that it's a thousand times more cost
effective for a large software company to just create better patch
creation and delivery methods than for them to do any but the most
basic (SPIKE, etc) security work ahead of time. You won' t see THAT
coming out of any security vendor, even though it's most likely true.

I agree though - 90% of the interesting work in this field is done by
people who don't publish it publicly, and 10% is done by people who do
publish it, but aren't affiliated to a company known for doing
"security research".

- -dave
(see, and there I go again with statistics drawn from who-knows-what
source. Now someone can reference this email in a white paper, and
then a reporter can read that PDF and claim it as fact, and it becomes
fact. Note the random assertations as to how individuals are
comfortable working on page 123 of the report that references OIS.
"Success will have been achieved if a commitment to the [OIS]
guidelines becomes a criteria for vendor selection in the
marketplace." An optimist would say "This means that people won't buy
BobSoft software because BobSoft doesn't follow OIS guidelines." But
in reality, this is Microsoft telling the budding Bindview, Foundstone
and @stakes of the world that they better play by the rules if they
want the cash. And it's OUR GOVERNMENT sponsoring this free marketing
campaign for them. Disgusting. Their next step is to say "Market
forces have failed - we need government mandating of OIS rules!")

P.S. VERDE is not listed in the "Attack Patterns" McGraw is so fond
of. A lot of Immunity's VSC bugs aren't.

P.P.S. Honestly,  this money is better spent hiring people who speak
Arabic or a few more armored humvees, if what we're trying to do is
have homeland security. The people who own all these software and
security companies are already rich, and don't need any public dollars.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAw6s7zOrqAtg8JS8RAhp+AJ9H6I31troZX4Esk7c0IboVHuVPjgCgstOB
twgZSV7C9NYZ9AfoMjT/Xhw=
=1SMy
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave