Dailydave mailing list archives
Re: stop the presses, security is solved!
From: "Dave Korn" <dave.korn () artimi com>
Date: Wed, 10 Jan 2007 17:33:25 -0000
On 10 January 2007 06:05, Arun Koshy wrote:
I'm seeing this post with fascination. Are we really this starved for contrived humor or personal potshots that lead nowhere ? Very very few things in this world are original and elegant.
Which is why when somebody makes extraordinary claims to have achieved fundamental breakthroughs, it is legitimate to point out that they are full of humbug. It's not just that their claims are smothered in marketing hype, it's that once you've removed the hype they are either false or meaningless. Or both. Take these claims: " Not an ineffective behavior-based approach " "Innervue is based on such internal activity as disk writes, page faults, network access, internal exceptions and much more." That /is/ behaviour. "this is all done without file scanning or overhead" Of course it involves overhead. To claim that it doesn't is as garbage as claiming to have invented a perpetual motion machine. When you read in depth, "The answer is to take a positive approach. At any one time the software on a computer is fixed and is from well-known suppliers. Further, newly installed software comes at predictable times and is under the user's control. It is a much smaller and easier task to approve current and new valid software than to identify all attacker software now and in the future. Greencastle takes this positive approach." you see that all they have done is reinvented some combination of whitelisting and tripwire. " New software is identified well before it even starts to run and then is watched closely after it begins executing. " If they aren't using syscall hooking to do this, they aren't doing it effectively, and if they are, their claims of stability and low overhead are bogus. "Greencastle is the first technology that goes to the level beneath which attacks simply cannot go " If that's not syscall hooking, it's not the "level beneath which attacks simply cannot go". Actually, if that's not a hypervisor, it's not "the level beneath which attacks simply cannot go". And since attacks (currently only POCs, AFAIK, but that's not the point) already have been demonstrated at the syscall, hypervisor, ACPI and BIOS levels, there really is no such level. So either attacks can go beneath it, or it's not the first at whatever level it's actually at. I'm also curious how all this "we prevent new executables from even being launched" would help prevent a buffer overflow or other redirection of control of an already-running thread in a white-listed application. At least if you read their own descriptions, there is nothing new or original about any of it. I'm sure it could stop idiots double-clicking executables they've been emailed, and prevent malicious websites from forcing an executable download via the browser, but that's nothing new. I remain to be proven wrong, but extraordinary claims require extraordinary proof, and all we've seen here is very ordinary marketing. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- stop the presses, security is solved! Brian Caswell (Jan 09)
- Re: stop the presses, security is solved! Olef Anderson (Jan 09)
- Re: stop the presses, security is solved! Martin Roesch (Jan 09)
- Re: stop the presses, security is solved! Anton Chuvakin (Jan 10)
- Re: stop the presses, security is solved! adrian . sanabria (Jan 10)
- Re: stop the presses, security is solved! Arun Koshy (Jan 10)
- Re: stop the presses, security is solved! Dave Korn (Jan 10)
- Re: stop the presses, security is solved! Martin Roesch (Jan 09)
- Re: stop the presses, security is solved! Olef Anderson (Jan 09)