Re: A single line drawn by Picasso, an Iraqi artist, and a buffer overflow.

[Matt Hargett <matt () use net>]

Thomas H. Ptacek wrote:
> 2.    It places a premium on vulnerability research that produces  
> readily-exploitable vulnerabilities in a small subset of vendors,  
> regardless of the fact that those vendors might not be our most  
> important targets. For every OS you find a remote in, I have an  
> embedded printer card that would be even scarier to break. And so on.  
> Not to mention the fact that the "current exploitability" factor is  not 
> necessarily a good predictor of the "long term value" of a  vulnerability.

Totally with you here. You wouldn't believe some of the stuff our 
produce is finding in embedded MIPS application binaries. People 
probably have 10 of these things in their posession and only know about 
half of them.


> 3.    It marks a return to the "security-clique" mentality that  
> characterized the early 90's; if full-disclosure people like me have  an 
> ideological enemy, it's the Infohax/CORE-list dynamic that kept a  small 
> group of "cool kids" in the know about holes and everyone else  in the 
> dark. 8lgm shattered that on Bugtraq, hundreds of people  followed, and 
> we are way, way better off for it. It's a subtly  different point from 
> #1: yes, it's bad to hamstring operators by  keeping info secret, but 
> it's even worse to retard progress by  withholding research results.

As you already know, I really disliked this aspect of the security 
'scene'. The constant dick-waving about who has what information is so 
stupid, it makes me tired. It ends up forcing out people who might 
otherwise have valuable contributions, but people caught up in the 
cliquey middle-school-level games you mention above can't see past their 
own egos enough to realise it half of the time.

There are lots of smart people out there who don't have the credentials 
to get into these cliques, but it's amazing what they can do when given 
the right direction. I'm glad other 'cooler' people have passed on so 
many of these bright engineers, more for me :)



> Part of the issue is, I'm just not not convinced that the current  model 
> we have isn't effective. Yeah, it undersells people who find  
> vulnerabilities. But undervaluing research isn't what keeps people  
> buying insecure products, so solving the "market value of exploits"  
> problem doesn't address the "market acceptance of insecurity"  problem. 
> It seems clear to me, based on the past 10 years of  vulnerability 
> research, that there are other effective motivators for  security 
> researchers.

And what if finding low-hanging fruit vulnerabilities becomes a 
commodity? Remember when people couldn't charge $200/hour to do a 
portscan and give a 'report' on a class C because the tools were 
available? People said network security scanners "couldn't be done", 
mostly because they were hanging onto fantasy life of doing things that 
no one else could do easily.

What do you think the impact on the model will be when this happens with 
finding novel exploits?

What do you think the ability for enterprise software consumers 
themselves to accurately verify the COTS software they buy meets a 
minimum security standard?

Great commentary :)
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave