Re: Re: This mornings Security Wire Perspectives - Ira's proof of concept code article.

[pete <lists () isecom org>]

Fun discussion.

Julio Patel wrote:

> You must be the sales guy....all that fluff above just to say that,
> yes you do fall somewhere between the extremum.  great.

Ah yes, the greatness of fluff.  But why does fluff suggest sales only? 
 I see it a lot in management and in academia as well.

>
> A woman went to the doctor and told him that she had hurt herself
> while golfing.  The doctor said, "where?" and she replied "between the
> first and second hole"...The doctor told the woman...."your stance is
> too wide"....haha, get it.  your stance is too wide.
>

A man walks into a bar.  Ouch!  --haha!  get it? perception problem- he 
didn't see the bar.  Limited view?  C'mon you're not laughing!

> we figured out how to jiggle loose those male/female combination bike
> locks.  for months we had the nicest bikes in the hood.  if you grew
> up in ann arbor, i may have gotten yours.  I was partial to Schwinns
> back in the day.

What you and your friends did in Ann Arbor sounds like real fun!  We 
should party.  But did you learn how to do that from the news or was 
this something you learned on your own and hoped it didn't get disclosed 
so people couldn't refund their locks?  Oh, wait, vendors don't refund 
their insecure software....


> So, Ira was right.  An automated scanner *can* often test for exploits
> via the network (without exploit code) and even more often if the
> scanner is configured to do the checks locally.

Ira was almost half right if in the real-world it actually worked like 
that and those in charge of security conveniently had root and admin 
rights on all the boxes they had to do local tests on.  Politics makes 
local checks a moot point in most of the world.

> This is pretty much what Robert already said....he needs exploits (or
> at least detailed tech info) to do better pen-tests.  OK,
> Full-disclosure fits your business model...what's your point?  You've

I guess all those those MBA classes has paid off for you and thankfully, 
now, for all of us.  Was it in an advanced class where you learn that a 
system where as a vendor, you control both product and maintenance of 
that product (which people must pay for) is an even better business 
model?  Imagine a system where any third party could make an analysis of 
a product that is not sanctioned by the vendor of that product.  I know 
big Pharma has also found the whole clinical trials thing to be pretty 
pesky too.  It really cuts into their preferred business model.


> Ah, humour.  I'll have to remember that the next time I'm debating 
someone.

Oh! You were "debating". Now that's funny.

> yeah, don't go overboard there chief.  screw with the infosec
> money-making machine and I might not be able to make my monthly
> golden-calf payments.

But isn't that what you're suggesting whereas for you the "info-sec 
money making machine" is NOT independent consultants?

Julio, you're not debating.  You're heckling and doing a bad job at it 
with a serious issue that goes way beyond money.  A system needs to 
exist where independent researchers can verify vendor claims just as 
Consumer Reports tries to, or the FDA tries to, or countless other 
consumer groups try to.  Ira doesn't mention that and neither does 
Robert but between the two arguments, it's clear that what exists isn't 
working.  And it's been clear since Robert first posted a rebuttal to 
Ira's article or else a strongly differing opinion wouldn't exist.

-pete.


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave