Dailydave mailing list archives
Re: w00t 08
From: "Katie M" <k8ek8e () gmail com>
Date: Sun, 3 Aug 2008 09:02:25 -0700
As a former researcher on the Human Genome Project, (my career had a brief detour in Molecular Bio in the early years), I can tell you that other scientific disciplines outside of computer security have the same problems. Wherever prestigious awards, big governement grants, and possible lucrative drug company deals are at stake, some of the more unscrupulous of the scientists would sacrifice the integrity of their work in favor of speed. First to publish, meant first dibs on all of the brass rings. It didn't matter if the data was bunk or the assays were all flawed. When I brought up the issues, I was told "we'll explain it in the notes, or an addendum later". Such addenda never came. It's part of why I left academia in the first place, because I couldn't reconcile my own integrity with that of the "successful" scientists around me. Though I believe there are very talented and scrupulous individuals within every discipline, I tended to be attracted to the more exciting projects (Genome, AIDS research), and those probably had a disproportionate number of the unscrupulous who wanted the fame and the money that would eventually follow. It was also a feudal system, where the head of the lab would take primary authorship of any given students' work on a routine basis -- indentured servitude for an undetermined stretch of time until you could form your own fiefdom and possibly subjugate others' intellects. What I did get from my turn in academia was a scientific method that proved useful in pen testing. I was often well-paired with "shotgun" consultants that would fire away, nearly at random, and try to collect whatever fruit dropped from the violent tree shake. It took them more time to figure out what they had done and document it. I was always slower at finding vulns, but could repro my vulns instantly and reliably because I documented each step, and had systematically isolated factors to determine the root cause. Neither method on its own would have done the job right, but I found I was always complimentary to anothers' cowboy-shoot-from-the-hip instincts. What I really love about security work is that the proof is in the pwnage. Documenting repro steps on a pen test is like giving someone a recipe to make your vuln cake. If it doesn't turn out, they might call you on it. Tools release is the same way -- instant peer-review. It's much more honest than the "peer-reviewed publications" of academia can be. And though security researchers/hackers tend to be paranoid, there is a healthier sharing of information among these networks of peers than I observed in a lab while working on AIDS research. Scientists were duplicating each other's work and re-doing proven failed experiements because they were paranoid that their work would be stolen by another scientist down the hall. I'm convinced AIDS and a slew of other ailments would be cured by now if this were not the culture. The non-academic security world's sharing and collaboration is much more true to the earliest scientists and mathematicians. Solve the problem, give greetz, shouts, and talks together. w00t, indeed. I think the intersection of the two worlds of academic and public can be fruitful -- some of the most brilliant inspiration for security analysis come from such symphonies (Think Marshall Beddoe's Network Protocol Analysis using Bioinformatics Algorithms paper: http://www.4tphi.net/~awalters/PI/pi.pdf). There are gems to be polished on both sides of the fence, and much we can do to advance the science of security, taking the best of both worlds. But would I ever go back to academia? No, I'd miss my autonomy too much. Cheers, Katie On Sun, Aug 3, 2008 at 3:57 AM, nnp <version5 () gmail com> wrote:
On Sun, Aug 3, 2008 at 3:30 AM, root <root_ () fibertel com ar> wrote:Dave Aitel wrote:These are not the papers you're looking for. http://www.usenix.org/event/woot08/tech/full_papers/ Seriously, there's nothing there to scare an network offense professional. I don't think it's w00t's fault, either. I think the research communities are diverging into public and private, as this research gets more expensive to do. USENIX may not be the place for academic treatment of offensive security research. A friend of mine wonders if there's any future for academic treatment of the subject at all. He wonder's wistfully of course, since he likes academia. Anyways, either be scary or be silly. There's no middle ground here. It's a fundamental truth in this field: You're either in, or you're out. -daveCommercial security conferences don't have great academic value because they are not peer reviewed (well, not reviewed by academic people) and there are other much important academic journals like ieee, etc. that in theory don't accept money in exchange for the publication of an article.I'd like to get everyone else's opinion/experiences with articles from so called 'peer reviewed' journals like IEEE and the rest. I've spent the past 8 weeks or so working on a project as a research monkey at my uni and spent the first few weeks pouring over journals etc. When it actually came time for implementation though I discovered a huge array of problems that had not been mentioned in the articles (and were presumably ignored as acceptable sources of error). When I contacted the authors requesting to see their software so I could determine if they had solutions to the problems I was either ignored or blown off with excuses like "we currently don't have the resources to make that available". In my opinion this brings all of their results into question when outsiders don't know exactly what sources of error they deemed acceptable. If some academics aren't bothering to release their software and their results are questionable then what purpose do they serve other than to fill pages in journals? So my question basically boils down to, how much reviewing actually goes on? i.e Do they run the software? Do they examine code or formulae? Or is it just a case of 'well it looks right'?Believe me, i had a hard time convincing my thesis advisor of the importance of being a speaker on Blackhat... Anyway, cryptography and cryptanalysis (offensive or not) is certainly dominated by academia, and I don't see that changing on the future. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave-- http://www.smashthestack.org http://www.unprotectedhex.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- w00t 08 Dave Aitel (Aug 01)
- Re: w00t 08 Charles Miller (Aug 02)
- Re: w00t 08 Mike Patterson (Aug 02)
- Re: w00t 08 Jon Oberheide (Aug 02)
- Re: w00t 08 root (Aug 02)
- Re: w00t 08 nnp (Aug 03)
- Re: w00t 08 Katie M (Aug 03)
- Re: w00t 08 dan (Aug 04)
- Re: w00t 08 Dean Pierce (Aug 03)
- Re: w00t 08 dan (Aug 03)
- Re: w00t 08 nnp (Aug 03)
- Re: w00t 08 Adam Shostack (Aug 03)
- Re: w00t 08 Charles Miller (Aug 04)
- some ISECOM releases Pete Herzog (Aug 07)
- Re: w00t 08 Charles Miller (Aug 02)