Vulnerability Development mailing list archives
Re: Lindows Issues
From: Paul McNabb <mcnabb () argus-systems com>
Date: Fri, 19 Jul 2002 15:24:50 -0500 (CDT)
I don't know if this is the case here, but some of the hype could very well be generated by the media. We had this problem a year or two ago when we held a "hacking contest" for a product. I had about 2 dozen press interviews, at least, and in *every* one of them the reporter/inteviewer tried to put words into my mouth. This happened with NPR, CNN, and lots of other major groups, not just the local radio, TV, and newspapers. Although I think NPR was probably the best. The conversations would go like this: Interviewer: "So, Mr. McNabb, what you're telling us is that your product is impregnable." Me: "No, it just really raises the bar. No product or system can ever be made 100% impregnable." Int.: "So that means that if a company installs your product, they won't have to worry about hackers ever getting in." Me: "No, they still need to follow all kinds of proper procedures, and our product only deals with certain kinds of threats." Int.: "So this contest that you are running, it will prove that your system can't be hacked, right?" Me: "No. Contests don't *prove* anything, and they certainly can't be counted as part of a product security analysis or testing program. We are hoping to show that you can use radically different security architectures and still maintain a high level of security. It's a way for us to let people know about what we're doing and to open up the discussion about how systems can and should be protected." Int.: "Well, there you have it folks. If this hacking contest goes as Mr. McNabb hopes, it will have proven that we can finally guarantee that hackers will be out of business and that his company's product is invincible." Then the interviewers comments would be on the radio or TV or in a printed or online report (my comments seemed to be edited out enough so that no one really knew what I said), and I'd get tons of flames from fellow security people ranting about what an idiot I was. So anytime I read this stuff now, I always take it with a grain of salt. Maybe the guy said it that way, but maybe he didn't... The media guys are always trying to stretch the story as much as possible to make it sound as exciting as possible. Just my take from experience. paul --------------------------------------------------------- Paul A. McNabb, CISSP Argus Systems Group, Inc. Senior Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" Deputy Director, CARIS University of Illinois Center for Advanced Research in Information Security http://www.caris.uiuc.edu ---------------------------------------------------------
Date: Fri, 19 Jul 2002 15:20:06 -0400 From: "Timothy L. Salus" <tsalus () cboss com> To: Jonas M Luster <jluster () d-fensive com> Cc: vuln-dev () security-focus com Subject: Re: Lindows Issues A simple thing to remeber is --- any code has to be decoded to be worth anything --- Therefore any code or system can be broken -- Human error alone stops system and applications from being perfect Jonas M Luster wrote: > Quoting Rohrer, Mark E (mark.e.rohrer () lmco com): > > > carried by InfoWorld Daily News on 05/28/2002: "Executives from Oracle, > > Dell and Red Hat are scheduled next week to launch what the companies dubbed > > 'Unbreakable Linux' in an invitation they sent out to the press." > > Any lie, repeated sufficienty often, posted on billboards alongside > 101 and told by sufficently wealthy individuals or coprorations will > eventaully become subjective truth. > > Oracle has not stopped its "Unbreakable" campaign, even _after_ they > were proven wrong in a way I'd describe as humilating, and people > still believe them. Who's to blame RedHat for jumping a bandwagon that > sure as heck will help them not only redefine "unbreakable" to > something along the lines of "... by a team of ten trained squrls" but > also has shown to effectively change the perception of the masses. > > "Unbreakable" is a simple statement. In its repetitiveness it is > hypnotic, almost subliminal. The power of those campaigns can be seen > in past and current industry campaigns, and political approaches. > > Now, you and I know that neither RedHat, nor Oracle is "unbreakable". > And we'd know that one even without having seen the gaping holes in > both products - we know it, because we know that there is no such > thing as "unbreakable". Oracle knows that, too. But by assuming > something that is virtually impossible, Oracle just made the move to > greater advertising - what better to claim than something no one else > would or could claim (except Microsoft). > > Yet another unanswered question would be: "How long until their > clients find out they've been had?" and "What's gonna happen then?". > > The answers are most likel "long until never" and "nothing". Oracle's > uber-envyed idol Microsoft shows us that there is no such thing as > losing substantial client base of uncovered lies or a generally false > advertising. They also show us that users take a lot of punishment and > still return (it's called the "Mick Foley Syndrome", read his books if > you don't get the twist :) for more. > > They'll release it, a week later someone will break it, the press will > report it, and yet another week later your ${PHB} will buy site > licenses because it's unbreakable. Makes money for Oracle and Red > "Five years without a remote clue in the default maintainer" Hat. > > jonas
Current thread:
- Re: Lindows Issues, (continued)
- Re: Lindows Issues H C (Jul 18)
- Re: Lindows Issues KF (Jul 18)
- Re: Lindows Issues De Velopment (Jul 21)
- Re: Lindows Issues Jonas M Luster (Jul 19)
- Re: Lindows Issues Timothy L. Salus (Jul 19)
- Re: Lindows Issues David Wagner (Jul 19)
- Re: Lindows Issues Valdis . Kletnieks (Jul 19)