Re: Security Industry Under Scrutiny: Part 3

[Silvio Cesare <silvio () big net au>]

sockz.. you have completely lost the plot ;-|

On Thu, Dec 05, 2002 at 11:18:58PM -0500, sockz loves you wrote:
> ----- Original Message -----
> From: "Steve W. Manzuik" <steve () entrenchtech com>
> Date: Fri, 6 Dec 2002 10:47:47 +0900 
> To: <full-disclosure () lists netsys com>
> Subject: RE: [Full-disclosure] Security Industry Under Scrutiny: Part 3
>
>
> > This was a really good post, I think you touched on some good points that I 
> > would like to comment on.
>
> woot, thankz steve.
>
> > > In light of who will access this vuln information we can now 
> > > pinpoint a few areas in need of critcal improvement.  First 
> > > of all is the proof of concept code being released into the 
> > > wild via the whitehats website.  Removing tools from the net 
> > > means that you remove the threat of socially inapt morons 

Everything that has been discussed is only say 15 years behind the
security history of mainstream computing..

If anyone has learnt anything in security over the years, it's that

        "security through obscurity"

DOES NOT WORK


I'm curious how your analysis (and also the ascii flow graphs presented)
reflect the history of computer security practices, and what was
discovered in the past..

The graphs presented believe that the source of "vulnerability discovery"
is from a purely trusted [and isolated] source.

This view, is also the reason why security through obscurity fails to work -
Because vulnerability discovery is not the simple mechanism described in
the simplified frameworks you describe.

The presentations provided visibly show the source to "script kiddy"
usage goes through a disclosure process..  The "script kiddies" are therefore
the only adverseries you display.

This is not the reality of computer security, and if the past year has shown
us, then "oh shit.. the 'blackhats' have vulns against all of this
software" - yet WHAT DO BLACKHATS DISCLOSE?

The solution you present for secure computing, is indeed a purely political
scheme, and not a technological scheme, for the goal is not the
reduction of vulnerabilities, but _the reductions of
REPORTED of "security violations"_.

This reduction can be achieved through many means.  A typical example is the
NON DISCLOSURE OF SECURITY VIOLATIONS themselves.  In this framework, then
indeed the total security on the internet is increased, because the
reported number of security problems, is descreased.

Does that make the number of real violations less than previous?  Does that
make the true technological security any better?  Does that mean people
are not actively exploiting software and breaking into machines?

> > The problem with this is that there will always be someone who feels it is 
> > their right (free speech and all that jazz) to post what they want on their 
> > website and there will always be those who write/post exploit coide.  How do
> > you propose that this is prevented?  
 
The purpose of this is for what?

Your framework is a simplified view of problems, that ignore the truth
of computer security.  That disclosure does not occur for the
"true blackhats" - that is, the computers which you imply you are trying
to protect, will never be reported as "vulnerable" by the people
who wish to break into them.

Blackhats as is stated by so many people, DO NOT DISCLOSE - why would
they?

"Hey.. I just rooted this bank and am taking all their money!"
"Time to make a post to full-disclosure!"

^^ I find that laughable..

The "blackhats" are indeed an "adversary" in the computer security framework -
the script kiddy is also an adversary.. yet your framework believes that
the only failure in computer security is because of disclosure - that is,
the "bad guys" dont already know these vulnerabilities.

How exactly does your framework of non-disclosure bring into play
the fact that "AN ADVERSARY DOES NOT DISCLOSE".

^^ Am I lost here in your analysis?  or is the framework of non disclosure
heavily simplified and polarized to acheive an agenda?

> well mechanisms like this are already in place when it comes to things like
> national security.  freedom of information is limited where that information
> could pose a threat to international relations, military strategy, secret
> operations and investigations, etc.  i think that if the internet is grown up
> enough to have laws that make it more capitalist-friendly it should be old
> enough to be subjected to State-based legislation that prevents the trading of
> information that could pose a threat to internet security.
 
[ snip ]

> > What about the inept software vendors who *require* proof of concept code 
> > before they even consider looking at a problem?  What about organizations like
> > CERT who has had proof of concept code mysteriously leak?
 
THis implies that "blackhats" don't already have this (highly unlikely).
Yet, you insist that again the magic bullet of computer security, is to
block full disclosure, and to keep such information in a "trusted and
isolated environment" (though you acknowledge that again this is not fully
trusted).

Let's get this clear..

        BLACKHATS ALREADY KNOW AND HAVE THIS INFORMATION!
        BLACKHATS DO NOT DISCLOSE!

Your statements are the opposite -->

        SECURITY IS COMPROMISED THROUGH TRUSTED ROOTS OF DISCLOSURE.
        BAD PEOPLE FULLY DISCLOSE.

so in summary..

        STEP INTO REALITY FOR A MINUTE.


Everything that gets posted by the so called "blackhats" says this -->

        BLACKHATS DO NOT DISCLOSE

^^ so...  the idea then that a "secure internet" is by non disclosure!

WHO THE F*CK ARE "YOUR" ADVERSARIES?

--
Silvio
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html