Dailydave mailing list archives

Re: w00t 08

From: "Katie M" <k8ek8e () gmail com>
Date: Sun, 3 Aug 2008 09:02:25 -0700

As a former researcher on the Human Genome Project, (my career had a brief
detour in Molecular Bio in the early years), I can tell you that other
scientific disciplines outside of computer security have the same problems.
Wherever prestigious awards, big governement grants, and possible lucrative
drug company deals are at stake, some of the more unscrupulous of the
scientists would sacrifice the integrity of their work in favor of speed.
First to publish, meant first dibs on all of the brass rings.  It didn't
matter if the data was bunk or the assays were all flawed.  When I brought
up the issues, I was told "we'll explain it in the notes, or an addendum
later".  Such addenda never came.

It's part of why I left academia in the first place, because I couldn't
reconcile my own integrity with that of the "successful" scientists around
me.  Though I believe there are very talented and scrupulous individuals
within every discipline, I tended to be attracted to the more exciting
projects (Genome, AIDS research), and those probably had a disproportionate
number of the unscrupulous who wanted the fame and the money that would
eventually follow.  It was also a feudal system, where the head of the lab
would take primary authorship of any given students' work on a routine basis
-- indentured servitude for an undetermined stretch of time until you could
form your own fiefdom and possibly subjugate others' intellects.
What I did get from my turn in academia was a scientific method that proved
useful in pen testing.  I was often well-paired with "shotgun" consultants
that would fire away, nearly at random, and try to collect whatever fruit
dropped from the violent tree shake.  It took them more time to figure out
what they had done  and document it.  I was always slower at finding vulns,
but could repro my vulns instantly and reliably because I documented each
step, and had systematically isolated factors to determine the root cause.
Neither method on its own would have done the job right, but I found I was
always complimentary to anothers' cowboy-shoot-from-the-hip instincts.

What I really love about security work is that the proof is in the pwnage.
Documenting repro steps on a pen test is like giving someone a recipe to
make your vuln cake.  If it doesn't turn out, they might call you on it.
Tools release is the same way -- instant peer-review.  It's much more honest
than the "peer-reviewed publications" of academia can be.  And though
security researchers/hackers tend to be paranoid, there is a healthier
sharing of information among these networks of peers than I observed in a
lab while working on AIDS research.  Scientists were duplicating each
other's work and re-doing proven failed experiements because they were
paranoid that their work would be stolen by another scientist down the
hall.  I'm convinced AIDS and a slew of other ailments would be cured by now
if this were not the culture.  The non-academic security world's sharing and
collaboration is much more true to the earliest scientists and
mathematicians.  Solve the problem, give greetz, shouts, and talks together.
w00t, indeed.

I think the intersection of the two worlds of academic and public can be
fruitful -- some of the most brilliant inspiration for security analysis
come from such symphonies (Think Marshall Beddoe's Network Protocol Analysis
using Bioinformatics Algorithms paper:
http://www.4tphi.net/~awalters/PI/pi.pdf).  There are gems to be polished on
both sides of the fence, and much we can do to advance the science of
security, taking the best of both worlds.

But would I ever go back to academia?  No, I'd miss my autonomy too much.

Cheers,
Katie
On Sun, Aug 3, 2008 at 3:57 AM, nnp <version5 () gmail com> wrote:

On Sun, Aug 3, 2008 at 3:30 AM, root <root_ () fibertel com ar> wrote:

Dave Aitel wrote:

These are not the papers you're looking for.
http://www.usenix.org/event/woot08/tech/full_papers/

Seriously, there's nothing there to scare an network offense
professional. I don't think it's w00t's fault, either. I think the
research communities are diverging into public and private, as this
research gets more expensive to do.

USENIX may not be the place for academic treatment of offensive security
research. A friend of mine wonders if there's any future for academic
treatment of the subject at all. He wonder's wistfully of course, since
he likes academia.

Anyways, either be scary or be silly. There's no middle ground here.
It's a fundamental truth in this field: You're either in, or you're out.

-dave


Commercial security conferences don't have great academic value because
they are not peer reviewed (well, not reviewed by academic people) and
there are other much important academic journals like ieee, etc. that in
theory don't accept money in exchange for the publication of an article.


I'd like to get everyone else's opinion/experiences with articles from
so called 'peer reviewed' journals like IEEE and the rest. I've spent
the past 8 weeks or so working on a project as a research monkey at my
uni and spent the first few weeks pouring over journals etc. When it
actually came time for implementation though I discovered a huge array
of problems that had not been mentioned in the articles (and were
presumably ignored as acceptable sources of error). When I contacted
the authors requesting to see their software so I could determine if
they had solutions to the problems I was either ignored or blown off
with excuses like "we currently don't have the resources to make that
available". In my opinion this brings all of their results into
question when outsiders don't know exactly what sources of error they
deemed acceptable. If some academics aren't bothering to release their
software and their results are questionable then what purpose do they
serve other than to fill pages in journals?

So my question basically boils down to, how much reviewing actually
goes on? i.e Do they run the software? Do they examine code or
formulae? Or is it just a case of 'well it looks right'?


Believe me, i had a hard time convincing my thesis advisor of the
importance of being a speaker on Blackhat...

Anyway, cryptography and cryptanalysis (offensive or not) is certainly
dominated by academia, and I don't see that changing on the future.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave




--
http://www.smashthestack.org
http://www.unprotectedhex.com
 _______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

w00t 08 Dave Aitel (Aug 01)
- Re: w00t 08 Charles Miller (Aug 02)
  - Re: w00t 08 Mike Patterson (Aug 02)
- Re: w00t 08 Jon Oberheide (Aug 02)
- Re: w00t 08 root (Aug 02)
  - Re: w00t 08 nnp (Aug 03)
    - Re: w00t 08 Katie M (Aug 03)
    - Re: w00t 08 dan (Aug 04)
    - Re: w00t 08 Dean Pierce (Aug 03)
    - Re: w00t 08 dan (Aug 03)
    - Re: w00t 08 Adam Shostack (Aug 03)
    - Re: w00t 08 Charles Miller (Aug 04)
    - some ISECOM releases Pete Herzog (Aug 07)