[Full-Disclosure] Security Industry Under Scrutiny: Part 3
sockz loves you
sockz at email.com
Tue Dec 10 05:12:02 GMT 2002
----- Original Message -----
From: Silvio Cesare <silvio at big.net.au>
Date: Fri, 6 Dec 2002 15:15:56 +1100
To: sockz loves you <sockz at email.com>
Subject: Re: [Full-Disclosure] Security Industry Under Scrutiny: Part 3
> sockz.. you have completely lost the plot ;-|
i had a plot?
> If anyone has learnt anything in security over the years, it's that
> "security through obscurity"
> DOES NOT WORK
plz explain why? so far all the explanations i've heard have been self-
sealing arguments backed up only by simplified models and varying degrees
of 'faith' in the security industry.
> I'm curious how your analysis (and also the ascii flow graphs presented)
> reflect the history of computer security practices, and what was
> discovered in the past..
this analysis didn't.
> The graphs presented believe that the source of "vulnerability discovery"
> is from a purely trusted [and isolated] source.
> This view, is also the reason why security through obscurity fails to work -
> Because vulnerability discovery is not the simple mechanism described in
> the simplified frameworks you describe.
> The presentations provided visibly show the source to "script kiddy"
> usage goes through a disclosure process.. The "script kiddies" are therefore
> the only adverseries you display.
what others should i have included that were relative to the debate? i assumed
that if i was describing the flow of information between whitehats and script
kiddies, then i would not need to list any other adversaries because they would
have been outside the scope of the email. perhaps i was wrong? then again you
could mean here that fake-whitehats with fake-advisories are also kinds of
adversaries? i am not clear on this.
> This is not the reality of computer security, and if the past year has shown
> us, then "oh shit.. the 'blackhats' have vulns against all of this
> software" - yet WHAT DO BLACKHATS DISCLOSE?
i dont follow.
> The solution you present for secure computing, is indeed a purely political
> scheme, and not a technological scheme, for the goal is not the
> reduction of vulnerabilities, but _the reductions of
> REPORTED of "security violations"_.
that's correct and incorrect.
the goal is to change the way vulnerabilities are reported. it isn't security
through obscurity really, because a responsible security architect would be
notifying the software vendor alone... and not the rest of the world. what i
am calling for here is not an end to bug reports but a beginning of maturity
and responsibility in the industry.
> "Hey.. I just rooted this bank and am taking all their money!"
> "Time to make a post to full-disclosure!"
> ^^ I find that laughable..
hehe, me too.
> The "blackhats" are indeed an "adversary" in the computer security framework -
> the script kiddy is also an adversary.. yet your framework believes that
> the only failure in computer security is because of disclosure - that is,
> the "bad guys" dont already know these vulnerabilities.
> How exactly does your framework of non-disclosure bring into play
> the fact that "AN ADVERSARY DOES NOT DISCLOSE".
okay point taken. i guess i'm just so used to seeing blackhats as anything but
and 'adversary' that i forgot to consider them from the other side of the
argument. i'll make the ammendments when i get home.
> Let's get this clear..
> BLACKHATS ALREADY KNOW AND HAVE THIS INFORMATION!
> BLACKHATS DO NOT DISCLOSE!
i think that it is unreasonable to suggest that everything that has been churned
out on bugtraq in the last year was discovered by a blackhat. surely, maybe, in
the sense that the whitehat is for a brief moment a blackhat before they post
the advisory (if you remove all traces of intent). but its a completely
different motivation here. whitehats find bugs to make themselves famous, make
money, score advisory brownie points, and those bugs can be *anything*. i dunno
about you but the only bugs i've really sought after are the ones that will help
me achieve my individual goals.
in any case thanks for your reply. i'll try and make things a bit clearer in
Sign-up for your own FREE Personalized E-mail at Mail.com
One click access to the Top Search Engines
Full-Disclosure is hosted and sponsored by Secunia.