Firewall Wizards mailing list archives
Re: concerning ~el8 / project mayhem
From: Iván Arce <core.lists.firewall-wizards () core-sdi com>
Date: Thu, 22 Aug 2002 21:33:41 -0300
Hi! ----- Original Message ----- From: Marcus J. Ranum <core.lists.firewall-wizards () core-sdi com> To: <firewall-wizards () nfr net> <firewall-wizards () honor icsalabs com> Sent: Saturday, August 17, 2002 3:50 PM Subject: Re: [fw-wiz] concerning ~el8 / project mayhem
R. DuFresne wrote:It seems that the whitehat community is under a new attack, putting fear into the souls of some reputed security experts, leaving them to now, rather then admonish these spoiled children, to rather brag them up and promote what some are referring to as their fine skillsets and tools.It's not a new attack!!! This has been going on in many ways for a long time. There's really two things going on here... Both are caused by professional insecurity in the hearts of the "reputed security experts" Ron's referring to... First off, there's the specialized knowledge of the hacker. I've had this particular hook set pretty deep in me, professionally, in the past. If you're a true white hat, you're not replete with hacking technique and you're not the kind of guy who can whip out a tool to crack into any website any time, or whatever. UNfortunately, a lot of our customers in the security business have been conditioned to expect reputable security professionals to have at least moderate hacking skills. This is thanks to things like Hacking Exposed classes,
And how is that bad? That fact that some reputable security professionals are not able to understand or replicate "hacker techniques"* does not in any way imply that customers are wrong in their expectations. * [whatever that is, I do not plan to participate in the on going "Hats Game" of various mailing lists lately]
and the early well-marketed security/hacking cross-overs like Dan and Wietse's SATAN, ISS, Nmap, etc., etc. I used to do audits and it was a very very tough thing whenever a customer insisted that I _demonstrate_ the presence of a vulnerability before they'd be
Yes, and this is the same that the security industry requires from the software vendors isnt it? I mean, we say "people should not blindly trust software vendors when they say they are not vulnerable or that they fixed something or that a fix is not needed" so why should the customers blindly trust the security experts when they claim something and they are not able to prove their claims? The footnote with the argument of "because they paid the security expert in the first place" is equally invalid, they also paid thousands or millions to their favourite vendor that does not mean that they must trust every single thing the vendor claims
willing to fix it. (Oddly, I suspect bullet-proof vest makers don't have that kind of problem with thier customers...) So you have to
Oddly, I suspect you are wrong Yes, I suspect that bullet-proof vests are actually TESTED at some point in their production process and so are cars and weapons and many other things. If you know for a fact that batches of bullet-proof vests are manufactured and sent directly to customers without testing a sample of them because "it is not necessary, our well thought production process guarantees they will stop the bullets" then we should be worried. There are going to be a lot of holes in too many vests. Anyway, I always thought that resorting to analogies in the IS field is pointless as each discipline has its own problem scenario and follow quite different paradigms. But sorry, I just dont rely on design specs and sound security policies when I evaluate an information security solution. Be it a software or hardware product, a process, service or even an "accepted practice"
either become a repository of hacking technique yourself, totally steer clear of hacking technique, or have friends who have the hacking knowledge who can step in every so often and back you up. So, unfortunately, because our customers have been media-trained and hacker-marketed to be stupid* many security professionals are now in the situation where they feel they can be embarrassed if their hacker buddies get pi*sed off at them and the well of information runs dry. I managed to get over and around this problem a long time ago by being extremely up front about the fact that I don't know hacking technique and I don't think it's particularly useful and I educate customers as well as I can on the issues and if they don't buy it, there are always smart customers to find.
Ok so lets just worry about the smart customers, the rest deserve to get owned because they can't understand how to secure themselves. I've read this argument somewhere else...
As soon as you start playing that "secret squirrel" crap you're vulnerable to whoever can show that your bag of tricks is mostly empty. There are a huge number of security practitioners out there who are basically poseurs who pretend to know a lot about hacking so they can make money doing useless penetration tests - and they run back to their hotel rooms and use Nessus. They're vulnerable to real hackers making them look bad because they have chosen to compete on the wrong playing ground.
The fact that many practitioners sell pentests and actually deliver runs of vulnerability scanners does not imply that either pentests or vulnerability scanners are useless or that security experts should not use them. It only shows that their are not good at what they do. And even a penetration test, intrusive and all, is not a taste of what real attackers could do, but I cant think of anything better other than letting real attackers a go at your infrastructure, with no limits or questions asked and without any expectations of usefull results from them. But the discussion I actually wanted to get involved with is the fact that many security experts STILL believe that security professionals are smarter than everybody else when it comes to information security, and that there is nothing to learn from the rest of the world, admins, management people, real world attackers, criminal organizations, script kiddies. "If I design my defenses well and I have a sound development and deployment process coupled with well defined security policies I am ok, I dont need to know anything from the "others", the bad guys, the attackers, I dont need to know their motivations, their techniques or they capabilities". This is the paradigm behind firewall technologies, this is the ivory tower posture back from the mainframe times with a twist. First, that posture is just arrogant, the compound knowledge of all the security experts in the world is a small and pale subset of a much larger body of knowledge and talent, we should humble and realize this. Second (and more important) that posture is WRONG, over the past decade (s) information security has evolved and incorporated new technologies and practices like vuln scanners, IDSes, honeypots, penetration tests, black box audits and reverse engineering, etc. It is arguable that all of these do not suffice to provide robust and lasting security to any organization with out the other more basic things as sound security design, policies and processes but they CERTAINLY helped to reduce risk and aided in the decision making process and in the implementation and deployment of fixes to many security problems. These have been accepted by a vast amount of technology professionals, to say that it is pure marketdroid-driven spending is to underestimate the intelligence of way to many people. And third, thinking that IS professionals do not/should not need to learn and understand the attackers techniques, capabilities and "trends" is also DANGEROUS, it prevents us from predicting the future evolution of our trade See... worms are not like RTM's anymore, vulnerabilities are not simple race conditions or even buffer overflows anymore, exploits and attacks trends are increasingly complex if we fail to see this and learn from it we are doing a very poor job as information security professionals and we wont know what we will need to protect ourselves from in the future. -ivan --- Perscriptio in manibus tabellariorum est Noli me vocare, ego te vocabo Ivan Arce CTO CORE SECURITY TECHNOLOGIES 44 Wall Street - New York, NY 10005 Ph: (212) 461-2345 Fax: (212) 461-2346 http://www.corest.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A --- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: concerning ~el8 / project mayhem, (continued)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Darren Reed (Aug 18)
- Message not available
- Re: concerning ~el8 / project mayhem Dave Piscitello (Aug 19)
- Re: concerning ~el8 / project mayhem Paul Robertson (Aug 19)
- Re: concerning ~el8 / project mayhem Tina Bird (Aug 19)
- Re: concerning ~el8 / project mayhem Adam Shostack (Aug 19)
- Re: concerning ~el8 / project mayhem Nate Campi (Aug 19)
- Re: concerning ~el8 / project mayhem Barney Wolff (Aug 19)
- Re: concerning ~el8 / project mayhem Crispin Cowan (Aug 23)