Dailydave mailing list archives
Re: This mornings Security Wire Perspectives - Ira's proof of concept code article.
From: Julio Patel <smerdyakovv () gmail com>
Date: Mon, 29 Nov 2004 14:19:05 -0500
On Mon, 29 Nov 2004 09:05:22 -0800, robert () dyadsecurity com <robert () dyadsecurity com> wrote:
First off, let me say thank you for responding. I enjoy feedback/conversations.
Danke, gracias, or Thank You (if English is your native language).
I was merely demonstrating absurdity by being absurd.
As confucious says: A man who pimps himself has a ho for a client.
Are you talking for all the end users? Oddly, I might want the patch before the exploit code...it depends on the situation.Can't speak for everyone. My contention is that if the person is on the ball enough to know about patches and to install them in a timely manner then they are on the ball enough to take other security precautions if needed.
That can't be shown. My 7-year old can install patches and she doesn't even understand how (or why) a firewall works.
The way the current vulnerability information disclosure scheme works results in an extended period of time for a vulnerability to be exploited in malicious directed attacks. It also lowers responsibility on the vendors to make quality software and lowers the pressure to make a solution available. As an informed end user I want the extra information.
Yup, I know that *you* want the extra information. You were making the argument that the information is in the best interest of everyone all the time. It's not that simple.
Uninformed end users are going to be compromised with or without a patch being made available.
Not true. see above.
I'm reminded of a childhood experience. When I was 6 my parents bought me a bike. I had a chain to lock up my bike when I was away from home. One day my little sister was playing with the lock and broke it. I was angry with her for finding this vulnerability in my security system until my father pointed out that if my little sister could easily break my lock, then so could a person who wanted to steal my bike. Sometimes it's better to know your risks so you don't make uninformed decisions based on a perception of security.HAHA. Yeah, but you woulda been pissed if your sister broke the lock and then told the other kids about it before giving you the chance to put it in the garage with daddy's beemer.I grew up thinking everyone had to work on their car on the weekends. We had one Volkswagen Micro Bus as the family car. We could barely afford the bike on a super sale from toys r us. I know you're just joking around, but you don't know me, and shouldn't make a wealth assumption like that :). Also, if the other kids and I were notified at the same time, I'd still have an opportunity to secure my bike.
Only if you were the fastest kid on the block. C'mon, admit it. You would have liked early notice from your sister. Even if all she told you was "Hey Bobby, you might want to put your bike in the garage because I'm about to tell everyone how to bypass your combination lock"...
People who follow this advice clearly have no concept of what their automated scanners are doing or even how they are developed.apparently, neither do you. You do know that many scanners check for package versions, registry keys, dlls, etc. locally, right? I'm not saying that all scanners and all checks use local access. I am saying that many do include the ability to do the 'scanning' this way. Ira took an extreme, you've taken up the flag for the other extreme, and the truth....well, it's out there somewhere.Turns out I know a little bit about security testing and security scanners :). Consult http://www.osstmm.org and http://www.unicornscan.org
So, you were aware that lots of scanners can do many checks locally?
hmmm. i took Ira's statement to mean that if you're a pen-tester worth half a chit, you'll be able to come up with a way to test for the vuln on your own. Note that I'm not saying that Ira is worth half a chit...but, if you're contracted to scan a newtork and can't come up with your own stuff, then your precentage of chit is on the decline.On a recent test we had to take an Apache vulnerability and modify it in order to exploit an IBM molested version of apache. We at least had enough of a base to start from in the middle of a test. On the same test we had to tell them to consult IBM for another identified vulnerability that had very little technical details published other than the version of the vulnerable application. In the middle of a test you don't have time to rediscover every hole and write custom exploits for every problem. We don't need working code, but we need a technical enough discussion where we understand what the problem is in order to test for it. We never use straight example POC code in tests... but we do find it to be helpful as a starting point.
It's good to get past all that moral high-road, altruistic crap, and cut to the heart of the issue. you need that information so that you can keep charging 10k/week to pen-test your clients, right? And, that's valid and I don't have a problem with that. Just don't make blanket statements about it being the best for everyone all the time.
I'd like to throw the "monoculture" crap back at you on this one. If the attack payload is easily identifiable and reused, then the gateway devices should be able to mitigate the risk. I've never been a fan of IDS or IPS systems as I don't believe they are properly labeled. They do not detect or prevent intrusions. However they are getting particularly good at detecting and in some cases preventing (at the gateways) worms. This is where your Worm Prevention System (WPS/WDS) can help you... that is of course until a vulnerability is distributed to attack them :).one, you're contradicting yourself above. two, this is about as silly as the 'encrypting email' post. re-read what you just posted. are you saying that gateway devices should be doing signature matching on known exploits?I think you misunderstood my point. I am not advocating IPS solutions as a valid security defense. :)
Right. And, I was saying that worms are a form of intrustions.
See http://www.dyadsecurity.com/papers/rbac.html for a more detailed view into my thoughts on that stuff.
You said that IDS/IPS was getting particularly good at detecting and in some cases preventing (at the gateways) worms. I'm not gonna crawl all over the Internet looking for your stance on IPS. I'll just have to go by what you post here. Julio _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Message not available
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Mandatory Access Control (Was: Re: RE: This mornings Security Wire Perspectives - Ira's proof of concept code article.) Peter Busser (Dec 03)
- Re: Mandatory Access Control robert (Dec 03)
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Message not available
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 29)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. pete (Nov 30)
- Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article. Julio Patel (Nov 30)
- RE: Last post.. please, this thread is killing me =) robert (Nov 30)
- Re: RE: Last post.. please, this thread is killing me =) Matt Hargett (Nov 30)
- RE: This mornings Security Wire Perspectives - Ira's proof of concept code article. robert (Nov 29)