Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: informIT: Building versus Breaking

From: Tom Brennan <tomb () owasp org>
Date: Thu, 1 Sep 2011 18:21:16 -0400
Ding ding ding... End of first round.

<insert ring girl with below sign> 

Largest application software security focused event in 2011 - don't miss: 

http://www.appsecusa.org

Sept 20-23 2011

###

Ding ding ding... Now "let's get it on"

Let's keep a professional..debate. Free speech only works with more free speech add bourbon for a party.









On Sep 1, 2011, at 3:26 AM, "Sergio 'shadown' Alvarez" <shadown () gmail com> wrote:




"Blackhat IS about breaking stuff, the vendors area offers defense
products and services to improve your security. For building stuff (as
in development) there are other conferences out there. People go to
Blackhat to be aware of what things might go wrong in order to protect
better themselves."

I really take offense to your comment.


There's no offense within the truth. 
btw, I forgot trainings in that paragraph.


I am seeing malware out in the field that is based on work by
so-called noble "security researchers".


You are seeing?, woow, how?
From this mail its clear you have no idea, and even less about the reverse engineering that is required to do such 
analysis. I am a reverse engineer, and I know what I'm talking about, but this is not the list to get into discussion 
about malware and reversing.


My litmus test is: If there were no whitehats and security
researchers, would we be better off at fighting the bad guys?

My answer is emphatically "yes".


Might I ask you a question? Why are you even in this mailinglist if you are the kind of guy or developer that just 
don't care about doing your products correctly?
Based on your answer a whitehat for you is a nightmare, the one who is giving your boss the red pill and because of 
that you are 'force' to rewrite your code and do things as you should have done from the very beginning.

People that follow your line of thinking are the ones who need to be replaced by people willing to learn in order to 
do better and more secure products.


I agree with Gary and from knowing Gary from all of his posts and
podcasts, this is not a new stance from him. I am in complete
agreement with him and always have been.


I do agree with Gary in that there is a need of having a new Conference about Defense Technologies and Awareness *for 
Developers*, that bring top notch security professionals and researchers together.

I highlight *for developers* because for people who know what they are doing there are a bunch of conferences, and 
since you brought the topic malware, here you have some specifically for that topic:

http://www.virusbtn.com/news/calendar/index

Specially the VB Conference is really good. (Virus Bulletin)


And while I am here, the "Builders vs. Breakers" term should be
attributed to Mark Curphey. You can probably still find his original
post.


I'm sort of sick of the whole attribution thingy. I've seen many of that in academia 'research', where they just take 
research from some unknown researcher and put a label to it and clame attribution afterwards.
The "Builders vs Breakers" meme has been discuss since *years*, I mean since before the 90s, and specially in other 
disciplines than software development. But since you've mentioned a specific person, a resent discussion which 
predates the author you've mentioned is here from June 3, 2008:
http://marc.info/?l=cryptography&m=121260561401776&w=2
http://news.cnet.com/2300-1029_3-6240826.html?tag=ne.gall.pg
Let me know if you find an article from the that Mark Curphey which predates that one and I'll give you another one 
older just to fit your needs.


The next question is: Can we ever prevent people from being "security
researchers" or "white hats" or "black hats" or "bad guys"? No.


Can we prevent people from developing shitty code?
Can we prevent people from talking BS?

Neither.


But I think we have to start to take the lipstick off of the pigs and
recognize what it is. It's called "Blackhat", isn't it?


A blackhat is the first one willing to keep things secret, so that nobody knows anything. 
Thanks to whitehats and researchers who present their work and bring some light to blind people is that products 
evolve during the time.
Otherwise we would still have products like Windows 95 or Windows NT 4.0 which were joke from a security point of 
view. When Bill Gates sent the famous letter to all the company ask to stop doing what ever it was they were doing 
and start auditing and reviewing the security of their developments, a lot of developers and project managers quit 
because they didn't want to rebuild right what they've built wrong. I believe you think like those developers and 
PMs, that's not the way to go.


Very unfortunately, there is more glamour - and probably more reward -
in breaking stuff.


That's a media/press problem, they are guilty for that.
I personally have great respect for products well engineered.


What I hate is that "security researchers" and the "white hats" try to
present themselves as noble and as the good guys.


I don't share that mindset, security researchers present a project and let the industry to come up with better 
solutions to the problem.


It's f*cking
bullsh*t and a total scam. Ten years later for me and the state of
infosec is much worse.


Compare Windows 2000 and Window 7, MacOS 9.x vs Lion, or Linux kernel 2.2 vs 2.6 (or 3.x) and then we talk OK?


There is also a nasty faction of infosec that will never want to solve
problems which will put themselves out of work. Yep, I am throwing
down that gauntlet FWIW.


There are also a lot of people accumulating dust under the carpet like nothing happens, hoping no one will uncover 
their hidden trash.

Cheers,
  Sergio


Stephen


On Wed, Aug 31, 2011 at 1:01 PM, Sergio 'shadown' Alvarez
<shadown () gmail com> wrote:

Hi gem,

I've read your article to see what direction you were willing to take, before jumping into the conversation. Your 
post was exactly what I thought you were heading to.

I disagree with your thought for many reasons.

But first I would like to use proper terms so that we don't misuse some vocabulary:

You said: """Software security should be a balanced approach of offense and defense (white hat and black hat, if 
you will)"""

Whitehat: reports what he/she has found. Network vulenerabilities, software security flaws, flawed crypto, design 
flaws, or whatever it is that the individual found it was broken or wrong.

Blackhat: doesn't report what he/she found, because she/he want to keep it that way.

Of course there are a lot of grays out there too.

Defense is…well... defense.

To design and build proper software and hardware there are a lot of conferences out there, as well as trainings and 
a huge amount of literature. There are very good books when it comes to secure software development.

Every year what is presented, in the best security conferences, are new techniques that developers need to be aware 
of in order to build secure products. Most of the presentations talk about things that were wrongly designed and/or 
corner-cases which were not considered.

There are also a lot of tools and libraries which help development teams to do things right, specially libraries 
and templates like Microsoft Safeint as well as the safe APIs, which prevent developers from shooting themselves.
They just need to use them. There are also managed languages, APIs to handle SQL securely, etc. It is just that a 
lot of developers don't use what is available to them.

Blackhat is great as it is now, there are talks about new defense technologies from time to time too. Having more 
talks about defense would be use, in my opinion, to sale products than anything else. I don't believe it would do 
any good to Blackhat.

"""I am not opposed to breaking stuff (see "Exploiting Software" from 2004), but I am worried about an overemphasis 
on breaking stuff."""

Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. 
For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of 
what things might go wrong in order to protect better themselves. And even then many good talks overlap 
unfortunately.

Regards,
 Sergio

On Aug 31, 2011, at 4:16 PM, Gary McGraw wrote:


hi sc-l,

I went to Blackhat for the first time ever this year (even though I am basically allergic to Las Vegas), and it 
got me started thinking about building things properly versus breaking things in our field.  Blackhat was mostly 
about breaking stuff of course.  I am not opposed to breaking stuff (see "Exploiting Software" from 2004), but I 
am worried about an overemphasis on breaking stuff.

After a quick and dirty blog entry on the subject 
<http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/>, I sat 
down and wrote a better article about it:

Software [In]security: Balancing All the Breaking with some Building
http://www.informit.com/articles/article.aspx?p=1750195

I've also had a chat with Adam Shostack (a member of the newly formed Blackhat Advisors) about the possibility of 
adding some building content to Blackhat.  Go Adam!

Do you agree that Blackhat could do with some building content??

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justoceleague
book www.swsec.com

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________



_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________





-- 
http://www.linkedin.com/in/stephencraigevans


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: