Re: concerning ~el8 / project mayhem

[Iván Arce <core.lists.firewall-wizards () core-sdi com>]

Hi!

----- Original Message -----
From: Marcus J. Ranum <core.lists.firewall-wizards () core-sdi com>
To: <firewall-wizards () nfr net>
<firewall-wizards () honor icsalabs com>
Sent: Saturday, August 17, 2002 3:50 PM
Subject: Re: [fw-wiz] concerning ~el8 / project mayhem


> R. DuFresne wrote:
> > It seems that the whitehat community is under a new attack, putting fear
> > into the souls of some reputed security experts, leaving them to now,
> > rather then admonish these spoiled children, to rather brag them up and
> > promote what some are referring to as their fine skillsets and tools.
>
> It's not a new attack!!! This has been going on in many ways for
> a long time.
>
> There's really two things going on here... Both are caused by
> professional insecurity in the hearts of the "reputed security
> experts" Ron's referring to...
>
> First off, there's the specialized knowledge of the hacker. I've
> had this particular hook set pretty deep in me, professionally,
> in the past. If you're a true white hat, you're not replete with
> hacking technique and you're not the kind of guy who can whip out
> a tool to crack into any website any time, or whatever. UNfortunately,
> a lot of our customers in the security business have been conditioned
> to expect reputable security professionals to have at least moderate
> hacking skills. This is thanks to things like Hacking Exposed classes,

And how is that bad? That fact that some reputable security professionals
are not able to understand or replicate "hacker techniques"* does not
in any way imply that customers are wrong in their expectations.

* [whatever that is, I do not plan to participate in the on going  "Hats
Game"
   of various mailing lists lately]

> and the early well-marketed security/hacking cross-overs like Dan
> and Wietse's SATAN, ISS, Nmap, etc., etc. I used to do audits and it
> was a very very tough thing whenever a customer insisted that I
> _demonstrate_ the presence of a vulnerability before they'd be

Yes, and this is the same that the security industry requires from the
software vendors isnt it? I mean, we say "people should not blindly
trust software vendors when they say they are not vulnerable or that
they fixed something or that a fix is not needed" so why should the
customers blindly trust the security experts when they claim something
and they are not able to prove their claims?
The footnote with the argument of  "because they paid the security expert
in the first place" is equally invalid, they also paid thousands or millions
to
their favourite vendor that does not mean that they must trust every single
thing the vendor claims

> willing to fix it. (Oddly, I suspect bullet-proof vest makers don't
> have that kind of problem with thier customers...)  So you have to

Oddly, I suspect you are wrong
Yes, I suspect that bullet-proof vests are actually TESTED at some
point in their production process and so are cars and weapons and many
other things.

If you know for a fact that batches of bullet-proof vests are manufactured
and sent directly to customers without testing a sample of them because
"it is not necessary, our well thought production process guarantees they
will
stop the bullets" then we should be worried.
There are going to be a lot of holes in too many vests.
Anyway, I always thought that resorting to analogies in the IS field is
pointless
as each discipline has its own problem scenario and follow quite different
paradigms.

But sorry, I just dont rely on design specs and sound security policies
when I evaluate an information security solution. Be it a software or
hardware product, a process, service or even an "accepted practice"

> either become a repository of hacking technique yourself, totally
> steer clear of hacking technique, or have friends who have the
> hacking knowledge who can step in every so often and back you up.
> So, unfortunately, because our customers have been media-trained
> and hacker-marketed to be stupid* many security professionals
> are now in the situation where they feel they can be embarrassed
> if their hacker buddies get pi*sed off at them and the well of
> information runs dry. I managed to get over and around this problem
> a long time ago by being extremely up front about the fact that
> I don't know hacking technique and I don't think it's particularly
> useful and I educate customers as well as I can on the issues and
> if they don't buy it, there are always smart customers to find.

Ok so lets just worry about the smart customers, the rest deserve to
get owned because they can't understand how to secure themselves.

I've read this argument somewhere else...

> As soon as you start playing that "secret squirrel" crap you're
> vulnerable to whoever can show that your bag of tricks is
> mostly empty. There are a huge number of security practitioners
> out there who are basically poseurs who pretend to know a lot
> about hacking so they can make money doing useless penetration
> tests - and they run back to their hotel rooms and use Nessus.
> They're vulnerable to real hackers making them look bad because
> they have chosen to compete on the wrong playing ground.

The fact that many practitioners sell pentests and actually deliver
runs of vulnerability scanners does not imply that either pentests or
vulnerability scanners are useless or that security experts should
 not use them.

It only shows that their are not good at what they do.

And even a penetration test, intrusive and all, is not a taste of what
real attackers could do, but I cant think of anything better other than
letting real attackers a go at your infrastructure, with no limits or
questions
asked and without any expectations of usefull results from them.

But the discussion I actually wanted to get involved with is the fact that
many security experts STILL believe that security professionals are
smarter than everybody else when it comes to information security, and
that there is nothing to learn from the rest of the world, admins,
management
people, real world attackers, criminal organizations, script kiddies.
"If I design my defenses well and I have a sound development and deployment
process coupled with well defined security policies I am ok, I dont need
to know anything from the "others", the bad guys, the attackers, I dont need
to know their motivations, their techniques or they capabilities".
This is the paradigm behind firewall technologies, this is the ivory tower
posture
 back from the mainframe times with a twist.

First, that posture is just arrogant, the compound knowledge of all the
security experts in the world is a small and pale subset of a much larger
body of knowledge and talent, we should humble and realize this.

Second (and more important) that posture is WRONG, over the past decade (s)
information security has evolved and incorporated new technologies and
practices like vuln scanners, IDSes, honeypots, penetration tests, black box
audits and reverse engineering, etc. It is arguable that all of these do not
suffice
to provide robust and lasting security to any organization with out the
other
more basic things as sound security design, policies and processes but they
CERTAINLY helped to reduce risk and aided in the decision making process
and in the implementation and deployment of fixes to many security problems.
These have been accepted by a vast amount of technology professionals, to
say that it is pure marketdroid-driven spending is to underestimate the
intelligence
of way to many people.

And third, thinking that IS professionals do not/should not need to learn
and understand
the attackers techniques, capabilities and "trends" is also DANGEROUS, it
prevents us
from predicting the future evolution of our trade
See... worms are not like RTM's anymore, vulnerabilities are not simple race
conditions
or even buffer overflows anymore, exploits and attacks trends are
increasingly complex
if we fail to see this and learn from it we are doing a very poor job as
information security
professionals and we wont know what we will need to protect ourselves from
in the future.

-ivan

---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A



--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com>
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards