Re: Faster, smashter.

["Fisher, Dennis" <dfisher () techtarget com>]

I wrote a column last week along the same lines as what Dave has to say.
Not coincidentally, the column was the result of a discussion with Dave
and some others a couple of weeks ago. Dave suggested I post it here.
http://searchsecurity.techtarget.com/news/column/0,294698,sid14_gci13408
84,00.html

I expected readers to disagree pretty loudly with the premise, but the
opposite happened. Still, Dave probably said it better in three
sentences than I did in 800 words.

Dennis Fisher
Executive editor
Information Security magazine/Searchsecurity.com

-----Original Message-----
From: dailydave-bounces () lists immunitysec com
[mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel
Sent: Monday, December 08, 2008 8:05 AM
To: dailydave () lists immunityinc com
Subject: [Dailydave] Faster, smashter.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I'm in Denver, which is lovely - all mountains and soft-speaking
midwesterners who snowboard an amount that can only be called
obsequious. But Saturday, before I went, I sat on the beach and read
this article by our very own John Markoff just below the fold in the
New York Times.

http://www.nytimes.com/2008/12/06/technology/internet/06security.html?_r
=1

"""
...

And there is more of it. Microsoft has monitored a 43 percent jump in
malware removed from Windows computers just in the last half year.
...

The United States government has begun to recognize the extent of the
problem. In January, President Bush signed National Security
Presidential Directive 54, establishing a national cybersecurity
initiative. The plan, which may cost more than $30 billion over seven
years, is directed at securing the federal government's own computers
as well as the systems that run the nation's critical infrastructure,
like oil and gas networks and electric power and water systems.
...
"This is always an arm race, as long as it gets into your machine
faster than the update to detect it, the bad guys win," said Mr.
Schneier.
""'

Faster, smashter. When I see 30 billion dollars, I can tell you what
you're going to get, as a taxpayer, for your money: Patch management,
IDS, Anti-Virus,  scanners of all shapes and sizes. Audits. Big rooms
full of large screens correlating information that has absolutely no
relevance to security. You can't correlate what you can't see. You
can't patch what you don't know about.

Mr. Markoff is trying to tell us that the defenders are losing the
battle. But if they are, it's because they *chose* to.  Hackers use
0day and always have. The defenders are off making millions selling
things that don't work against 0day.

I guess what I'm trying to say here is that at this point the
attackers are just "reasonably competent". When it comes to offensive
information security, we ain't seen nothing yet.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJPRuBtehAhL0gheoRAmvjAJ9sCzpHZjSsNbmWTVAZYrJmTuED+wCeNmNv
Pvr/b158e3Yj8meZQcmM9K0=
=D+Gf
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave