Re: SMS Banking

["Thor (Hammer of God)" <Thor () hammerofgod com>]

Actually, I'll make it even easier for you...

You pick the 50 software packages- I don't care which.  You use your formulas to calculate the "risk" of deploying them 
on the internet.

As per your instructions, which were in writing when you put up your $10,000, "Thor does whatever he wants."  I will 
illustrate "real world" deployment issues that will lead to full compromise of all 50, count them, 50 (That's 100% - 
thought I would save you the trouble of getting out your calculator) software packages.

Your formulas cannot, and will not, be able to factor in the human element, particularly when I get to do "whatever I 
want."

And please don't try to change the terms, Craig.   I have to say that because the last time I bothered with you, (when 
you tried to tell me IPSec was an authentication protocol like NTLM or that Rainbow Tables worked on NTLMv2) you 
wiggled about a bit.

Can we do this live?  If I lose, I'll pay for your plane ticket to Vegas.

t



From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of 
Thor (Hammer of God)
Sent: Tuesday, February 09, 2010 8:59 PM
To: craig.wright () Information-Defense com; Valdis.Kletnieks () vt edu
Cc: 'full-disclosure'; pen-test () securityfocus com; security-basics () securityfocus com
Subject: Re: [Full-disclosure] SMS Banking

Now you're talking.  But first let's work up an actual contract.  Neither of your components define anything.  When you 
say that you are going to predict "risk" with your  magic formula, do you mean if the software has vulnerabilities?   
That it can be hacked, or will be hacked?

Be sure to define this properly and definitively - if you end up saying that a system has a 1% change of being hacked, 
and I (or my auditors) hack it, would you claim you were "right"?  I question if you can even define the parameters of 
this bet, much less apply your formulas, but we'll see.

I also want to know what "scale" you plan to use.  So far, even though I've asked, you've not provided what the 
"answer" to your formula is, or how it will be applied.   I'm assuming, unless you are going to change your tune which 
I wouldn't doubt, that you won't look at the software code or threat models, but rather apply your formulas.  I further 
assume that the "loser" will be financially responsible for the "audits" done my way.

I'm more than happy to take your money, and I look forward to doing so.    Since one of your masters degrees is in law, 
I'm assuming you can clearly define the terms of the contract.    I will, of course, insist upon a contract, and I hope 
you won't mind that I have my own attorney look it over.    I'm not immediately trusting of the competence of one with 
a doctorate degree and multiple masters degrees who can't spell "technology" or "experience" correctly on his on-line 
CV.

You are officially "on."  And I'm looking forward to it.

t



From: Craig S. Wright [mailto:craig.wright () Information-Defense com]
Sent: Tuesday, February 09, 2010 7:41 PM
To: Valdis.Kletnieks () vt edu; Thor (Hammer of God)
Cc: pen-test () securityfocus com; 'full-disclosure'; security-basics () securityfocus com
Subject: RE: [Full-disclosure] SMS Banking


I have a simple answer to this. Forget the debate, rhetoric is not a scientific method of determining truth.

"Thor" wants a challenge, let's have one - a real one and not one based on verbalisations, abuse and unfounded 
assertions.

I suggest two components;

1       A selection of software products are tested using both processes, that is I use a model for the risk of these 
products, and "Thor" can make up whatever guesses he wishes. We model (or "Thor" guesses, pulls from a hat...) the 
vulnerabilities over a time period. The number of bugs in software as well as the risk are to be presented as a monthly 
estimate.

2       We model a few systems (say 50). We can use Honeypots (real systems set to log all activity without 
interference) run by an independent party to each of us. I use probabilistic models to calculate the risk. "Thor" does 
whatever he wants.

Each of the predictions is published by all parties. The one who is most accurate wins. Fairly simple?

I will even give a handicap to "Thor", I will offer to predict within a 95% confidence interval and that for me to win, 
at least 90 of the 100 software products and 45 of the 50 systems have to lie within my predicted range that I 
calculate and release. "Thor" has to simply guess better than I do no matter how far out he is.

I will put up $10,000 Au for my side. Let's see if "Thor" has something real to offer.

Regards,

...

Dr. Craig S Wright<http://gse-compliance.blogspot.com/> GSE-Malware, GSE-Compliance, LLM, & ...

Information Defense<http://www.information-defense.com/> Pty Ltd

_____________________________________________
From: Valdis.Kletnieks () vt edu [mailto:Valdis.Kletnieks () vt edu]
Sent: Wednesday, 10 February 2010 7:03 AM
To: Thor (Hammer of God)
Cc: pen-test () securityfocus com; full-disclosure; craig.wright () Information-Defense com
Subject: Re: [Full-disclosure] SMS Banking

* PGP Signed by an unknown key

On Tue, 09 Feb 2010 17:39:39 GMT, "Thor (Hammer of God)" said:

> how about accepting a challenge to an open debate on the subject at Defcon?

"Alright folks just make yourself at home, Have a snow cone and enjoy the show"

                                -- Webb Wilder


* Unknown Key

* 0xB4D3D7B0

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/