Re: Twitter: (verb) to fail under exponential growth

["Lance M. Havok" <lmh () info-pull com>]

Hi Mr. Maiffret,

Nice to meet you, I guess. I was already pretty much off from the
whole computer security thing, and I was packing my stuff for going on
a legendary pilgrimage to the beach for partying hard, wasting myself
and possibly destroy my last few sane brain cells with some drugs and
booze.

Therefore, before I become incurably clueless and insane, I decided to
reply to this message. I still have a good bye letter pending and a
last bang to shut the door behind forever.

So here we go... yeah dude!

On Mon, Jun 30, 2008 at 2:41 AM, Marc Maiffret
<mmaiffret () inveniosecurity com> wrote:
> > -----Original Message-----
> > From: Dave Aitel
> > Talking with my British friends lately they're all quite obsessed with
> > trash. For good reason, I assume, since they now have strict recycling
> <snip>
>
> I am not sure what unsustainable growth in human garbage or number of virus
> signatures, really has to do with security tools not taking the extra step
> in automation. Vulnerability Assessment, and Code Bugs do not create an
> exponential amount of findings but rather a steady stream, mileage may vary.
> Some could argue they are exponential in their databases of things to scan
> for but that is not true with code bugs and in the case of VA typically
> there is a lot of superseded patches where you are looking for the latest
> rollup rather than the 100 bugs that led up to it. But I'm digressing...

Every patch once in a while introduces another hundred bugs. And
people still have to care about patching bugs they consider
'unimportant'.

> Automation can be a great thing or it can be a bane. To many times these
> days technology caters to laziness or as Band-Aids to human stupidity like
> the difference between side airbags and cars that can parallel park
> themselves.

> The complexity in security is not from any complexity in technology but the
> complexity in motivating people to truly care about security and act
> accordingly. Non-accidental Murder by Technology will help speed peoples
> thinking along.

Why should we care about security anyway? Security these days is
becoming a matter of crowd control, nothing else.
Normal people don't give a shit about the details or whatever other
cranky technology affecting their security. Technology is the new form
of slavery. The more connected you are, the more control others can
exercise on yourself.

I was reading an interview done by Hubbard's (the Scientology founder)
son, and he basically said something alas: "Scientology counseling
revolves around your sexual life. If you know every sexual detail,
dirty deed, desire and craving of an individual, you control his
life."
Technology is pretty much becoming the new cancer of nowadays society.
Security in technology is just an accident. We are hyper-connecting
ourselves, everything is getting networked. From phones to fridges, to
dildos, anything. You are broadcasting your whole life, and nobody
really cares about it until they want to steal your bank information.

This whole new thing about technology is that it makes you and me, the
average random idiot on Earth, feel like we are someone special.
Goddammit, there are more than 6k million people in this planet.
Illusion of self-importance. Might make you feel good and fuzzy, but
it's freaking non-existent. You won't achieve enlightenment in your
life while blogging about your last trip to Las Vegas. No fucking way.

I would pay to see Nedd Ludd brought back to these days.

> Companies already have to manage everything so they will have to deal with
> scale either way. Maybe BindView does not scale (I don't know) but there are
> companies in the world that manage half million or more windows systems
> centrally, including patching, and they do an extremely good job of it.
>
> As you seem passionate on the subject I cannot help but ask, When is Canvas
> coming out with a feature to automatically push patches for vulnerabilities
> it uses to own a system and how will you handle zeroday? :-)

You miss the point about CANVAS. It's an offensive technology. It's
not supposed to defend you against anything. It simply provides an
efficient way to have a real perspective of how clueless your network
security people are, and how you should be moving from Apache/PHP to
IIS/ASP.NET. If you don't like that, go develop a plugin and plug it
into the framework.

The point here is that the whole industry and the technologies
developed by people working at it, pretend to be defensive. They
pretend like if by investing a crap load of money on a super advanced
IDS megasystem of anti-hacker nanotechnology, you could actually
prevent your employees from downloading child pornography, suffering
targeted attacks via Office documents, leak information via P2P
software, etc. The same goes for antiviruses, for vulnerability
assessment, etc.

There are a whole helluva lot of smart asses out there who can audit
your code and still miss incredibly stupid shit. How do you like that?
And you are paying 2k bucks a day for each code-leaking auditing
minion. The only technology that has actually worked overtime is
grsecurity and watch out for the imitators out there. Brad did an
excellent job at freely licensing it. You know what, I was gonna work
on a BSD-licensed grsec-like security patch for NetBSD. I would hope
to have it promptly stolen by Apple (since I was going to use the
kauth subsystem, they wouldn't need much integration work).

Why? Because the still emerging market for OS X security would be
pointless afterwards. Maybe some journalist would still pick random
remote root bug news from random security vendors. So what. How did we
end up with OS X security becoming a mainstream interest for the
security industry? Sigh.

No matter how many band aids and koolaids we take, security doesn't
exist.  Enough said. Stop making a business of defensive security
technology that doesn't work. Go buy CANVAS (no, seriously, do it,
it's like Metasploit but for professionals, and you will see a grasp
of its potential).

- Lance.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave