useful people
but probably not in their intended way.there's this great quote, from lazurus long,
``If this is too blind for your taste, consult some well-meaning fool (there is always one around) and ask his advice. Then vote the other way. This enables you to be a good citizen (if such is your wish) without spending the enormous amount of time on it that truly intelligent exercise of franchise requires.'' (with respect to voting)
with that in mind, this blog post is about the least intelligent thing i've ever seen.
because blackhats have no sense of humor. of course.
(admittedly, there is an outside chance that the blog post was trying to employ a tone of sarcasm, but if so, it was completely lost. read some of the previous posts - this, this, etc... - to get a grasp on his level of understanding)
additional note: people like this are why antisec exists. i don't know if i fully agree, but there are a very large number of good points to be found on there.
posted by toasty @ 7/16/2006 10:09:00 PM
8 Comments:
woohoo Lazurus Long!
Toasty - please enlighten me on the error of my ways. What is it I am missing (besides intelligence, of course)?
Pete
Assuming that you weren't trying to be sarcastic (about being shocked/dismayed)...
My main problem with that post is actually very much in line with my major complaint against Microsoft in general - both make major assumptions (in this case, about security) without any basis upon which to build them. Security is a great thing to want. I don't think that you (or Microsoft) have taken the necessary steps to obtain it (at a sufficient level?). As an os, Windows is built upon the premise that it will make money. Security was an afterthought by about 7 years (or more, depending on perspective). Considering the age of the codebase, my argument is that it's not intelligent to have a reasonable expectation of security from something that was built without it's consideration in the beginning. Of course no one could see the future or anticipate the growth rate of computers, but expecting to not have to pay later for shortcuts being taken is an unjustified position. Microsoft continues to add complexity to their products at an incredible rate. Maybe taking the time to refine some of them, instead (and I don't mean patches, I mean from a design perspective), would be worthwhile. I don't really see any easy solution. But I wouldn't go expecting any security from them, either.
What makes you think my position on the merits of bugfinding is an indicator for my position on the security of Microsoft platforms? They are two different issues.
Btw, I *was* being sarcastic, but not in the way you think.
Pete
Your positions on bug finding vs. Microsoft security are pretty clearly distinct, as a whole. However, a relationship between them does exist. If you're going to be bothered worrying about having security in a MS product, being surprised by people continually announcing bugs for it seems sort of ridiculous.
For some reason, sarcasm never seems to convey well over the net (without having known the person in real life). If you're referring to paragraph two, I figured that much out. Otherwise, it's not obvious to me.
With respect to your posts on bugfinding, I feel very differently. It probably deserves a full post of it's own, but I'll try to briefly explain why, here. I'm fairly sure that bugfinding does considerably more good than harm. I'm not convinced that bugs being found aren't from ``real threats'' (your post w/trackback 4523311) - you imply pretty strongly that only your list of undercover exploits are being used in the wild, which is very much not the case. A huge number of compromises are never fully understood, and among those that are, many could have been prevented. Bugfinding (by third parties and such) isn't by any means the best way to find and deal with them, but it is effective to a degree. This is especially true in the face of organizations that refuse to admit their software has a problem until they can see it first hand. Do you think MS would have started the huge security push they'd taken on in the last few years if people hadn't been showing them problems all along? It seems to be gradually motivating people to believe that companies have responsibilities for the software they write. I think a lot of the good bugfinding does goes un-reported, because it isn't ``big news''. If, for instance, an exploit is dioscovered, reported, and patched against, there is still potentially value even for the people unable to patch (for one reason or another) by virtue of the fact that even just a signature for an IDS can help prevent it from being used rampantly.
Obviously none of this will be any help against the best attackers. It might lower-the bar for script-kiddies, but it lowers it even further for having decent defense from the morons out there. It very often seems like a trade-off, in terms of money. A well-enough funded enemy is going to find some way in, with a very high probability. And it will be bad. But that's no reason to ignore all the people who are just testing an exploit someone else wrote and they don't understand.
1) The fundamental flaw with bugfinding is the bugfinders always have to find the *right* bugs, which is impossible. Attackers can exploit any hole they want, but we *must* fix the disclosed/patchable bugs (for reasons you describe), even though they are the wrong ones (i.e. the ones that do the least damage).
2) It's great to be "fairly sure" of things you believe in and "not convinced" of those you don't when you have no evidence of the former and want to ignore the latter.
3) I don't imply anything; you infer incorrectly.
4) "A huge number of compromises are never fully understood" - how on earth can you support this argument? So, like, how much is "huge"?
5) "Do you think MS would have started the huge security push they'd taken on in the last few years if people hadn't been showing them problems all along?" Umm, well, if there is a real threat (which I believe there is, but you are implying there isn't), then, YES I do think MS would do it, because the evidence of compromise would have been far more damning than ego-trips by self-styled vigilantes (against MS).
6) "Obviously none of this will be any help against the best attackers." You are arguing against yourself in this final paragraph.
I have two questions:
1)What is the largest enterprise you've worked in where you had global tech responsibilities?
2)Why do you feel compelled to force everyone to be like you?
Toasty - when you make an argument against someone's intelligence, you really should be able to back it up with logic or evidence of your own and not just rhetoric and emotionally-laced b.s. that you read on a hacker website or out of a book. (There are a couple of weaknesses in my argument and you didn't pick up on any of them.)
I wish you luck on your long road ahead. I throw in the towel.
Pete
1)What is the largest enterprise you've worked in where you had global tech responsibilities?
Irrelevant. Where someone has worked has no bearing on whether their arguments are sound.
1) The fundamental flaw with bugfinding..
If we don't find the bugs, someone will. Name your stakes, I'll bet that that someone is not always going to be the vendor (be it MS or whoever).
To put it another way, the bad guys will have exploits. The best way to foil them is by searching for the vulnerabilities blackhats already know about and fixing them. Everytime a bug is fixed, we make the task a little harder and less accessible to the unskilled.
The fundamental flaw in your beleif that bugfinding is not beneficial is that finding an undercover exploit, to use your term, is a hard problem. If an attacker or group of attackers have an undercover exploit and a very small, very targeted number of victims, the existence of the vulnerability could be hidden indefinitely.
Pete, if I were a bit more unscrupulous and a bit less bound by certain things I've signed, I would support you one hundred percent in supressing vulnerabilities. As an attacker it's much easier to use one exploit for almost two years than to have to come up with a new one because it's been patched against.
Yes, we must fix the bugs we find. But the fact that a bug is public only puts pressure on the vendor. Without this pressure, vendors sit on their thumbs and the public suffers.
point by point...
1. fixing all the right bugs very probably is impossible. the idea of not doing it necessarily implies that there is no opposition trying to find them either. if this were the case, i'm sure the world would be a much happier place. as it is, there is a lot of code out there with a lot of bugs that are very easy to exploit. nothing you say can change this. your suggestion about ``elevating the understanding of systems'' (see http://spiresecurity.typepad.com/spire_security_viewpoint/2006/03/why_bugfinding_http://spiresecurity.typepad.com/spire_security_viewpoint/2006/03/why_bugfinding_.htmlhttp://spiresecurity.typepad.com/spire_security_viewpoint/2006/03/why_bugfinding_.html.html ) doesn't really make sense to me, and as far as I can tell, would do nothing to address all the problems which already exist.
2. These are not subjective qualifiers on accident - they are my understanding of the world based upon my experience. ``I'm fairly sure that bugfinding does considerably more good than harm'' because I've seen a lot of bugs reported, and can watch as bugreports on issues get closed. Again, this isn't reported on any big news sites because it's a daily occurance. The quality of software is visibly improving as a result of these. ``I'm not convinced that bugs being found aren't from ``real threats'' '' because I've seen bugs exploited in the wild, and later reported and closed. It doesn't make sense to me to claim that because a program lacks trivial input validation, that it shouldn't be reported because it's unlikely anyone would attack it or ever figure it out.
3. Am in inferring incorrectly that your list are the only ones worth fixing, or that you see them as a problem?
``I am all for disclosing vulnerabilities that are discovered due to in-the-wild-exploits. In fact, there have been ten (that I am aware of) in the past ten years. I think we should protect ourselves from those ten and any others that come up in that way.''
doesn't seem like a particularly far strech of inference.
4. Of course I can't quantify this - that's explicitly stated. I have personally seen a great many compromises take place (probably well into the thousands), and am extrapolating from that. I'm not sure why you begrudge me on this point - do you think that vulnerable systems aren't being broken in to?
5. I'm not sure where you got the idea that I thought MS doesn't face a real threat (or that people have been reporting meaningless vulnerabilities?). I'm not sure why you refer to MS' security push as something they ``would'' do - they did do it (and still are. Search google news for any MS security story in the last 2 or 3 years).
6. Again, I don't know why you assume this is an accident of some sort. I was trying to point out that I don't consider random bugfinding to be any sort of end-all solution. Only that is valuable.
On to your questions...
1. Maybe if I hadn't seen so many security problems with ``global-tech companies'' I would feel like this matters in some way. It doesn't. I have seen tons of lazy employees in positions of importance. I have seen tons of incompetent employees rise absurdly far through the corporate ladder, and be called ``security professionals'' regardless of what they know or are capable of.
2. This is new to me. I like to encourage people to think. That's about the extent of me having any desire to be like I am (or claim to be, etc...)
3. If I had cared about the other weaknesses in your argument, I would have pointed them out. Similarly, you seem to ignore large parts of what I say (despite me thinking it relevant).
4. Thanks for the luck. You may throw in the towel any time you like. If I thought you would have had something useful to say, I would have posted to your blog.
Post a Comment
Links to this post:
Create a Link
<< Home