[clue-talk] hrmmm

[Nate Duehr]

On Jul 31, 2007, at 4:51 PM, Matt Poletiek wrote:

>> Yes, but to do in-depth security research, you need to get paid to do
>> so.  Only a small percentage of folks are going to work on this  
>> stuff in
>> their spare time, with the level of complexity we're talking about  
>> nowadays.
>
> This kind of mind set is limiting of human potential. Resources are
> obtained in more than one way and this is often the case.

Okay, that's a fair discussion point.

>> The "evolution" has been going on for a couple of decades now.  When
>> will it "evolve" into something a magnitude better?  Where's the  
>> fiscal
>> incentive to do so?  Who's working on it?
>
> If you follow mailing lists like bugtraq and full disclosure, hell,
> even the milw0rm rss. You will see that more often then not the idea
> of a security hole is more often than not presented by a nobody or
> someone who wishes to remain anonymous, this is due to societies fear
> of this knowledge.

That comment could spin a whole new topic of discussion:  Why are  
people afraid of computers?  Is it because people aren't logical, or  
because of interesting human interaction problems with people "in the  
know" and people who "don't have a clue".  If those "in the know"  
could openly describe how they "got there" -- those that have either  
good training (nuture) or good intuition (nature) about how computers  
actually REALLY work, what percentage of those who "don't have a  
clue" would attempt to climb the same mountain to gain the same or  
similar knowledge levels?  Would they?

I contend that the fact that paid groups like SANS and others exist  
because people don't want to climb that knowledge mountain alone,  
but... if the person only sits and absorbs what a good training  
organization like SANS presents (yes, I think they have very good  
material and courses), and they don't take a personal interest of  
some sort... the knowledge will only take them so far.

> After the idea is presented, proof of concept code
> is developed by again, either a nobody or someone who wishes to remain
> anonymous. Their are a bold few well known names, but they do not
> alone drive the evolution of the code. Code, in a sense, is an ever
> evolving language of strictly objective, linear logic. When a machine
> is exploited, it is simply executing true logic which was not foreseen
> by the official developer.

Agreed.  And no single developer will ever see all the holes.  But...  
where's the effort up-front (and the monetary and/or moral deep  
emotional drive) to work with others to make sure one's code doesn't  
"suck" when it comes to security?  I don't believe that forced  
"certifications" that someone else reviewed your code is a viable  
option in anything except highly-funded environments.   And the in- 
between is where most people live, looking at a typical bell-curve.   
So how do you push "security" down into the middle of the bell- 
curve?  That's the interesting (and maybe unanswerable) question that  
drives my curiosity.

> This additional logic forces future generations to reconsider, hence
> the evolution. This occurs in both the commercial and open source
> communities, though much quicker with more efficiency in the latter.

So it's claimed.  I'm not going to go into that debate here, but I  
can point out commercial products that evolved far more than the open- 
source community could evolve them... an example would be Asterisk.   
It's laughably bad at telco when compared to a Lucent #5ESS Central  
Office switch, but that doesn't mean it doesn't have its place.  At  
the extremes (and Asterisk and a CO switch are about as far apart on  
the bell-curve as two "products" get), you see people getting paid  
large sums of money on the high-end to get things done, and on the  
low-end you see volunteers toiling away on a "pet" project.

But the "in the middle" projects are the ones most people use for  
things... and many such projects seem to stall out from under their  
own weight as volunteers get over-extended for what's "reasonable"  
amounts of time and yet there's no funding to pay someone to pick it  
up and run with it.  In the middle-ground of the bell curve for  
software seems to always be the "most dangerous" when it comes to  
various design issues, security included.

>> Right.  But do they do that because of silly little catch phrases and
>> misconceptions like "virus" and "trojan horse"?  Could the industry
>> overall do a better job of explaining what's REALLY wrong, instead  
>> of me
>> seeing late night commercials for "does your computer have a worm?
>> (ewwww!)" targeted at and feeding off of, the clueless?
>
> Not the Industry, but the community. Humanity separate of capitalism
> and profit motive. It is the hobbyists that create the industry, it is
> the industry which mass produces the technology. Those who really care
> will find the need to understand the solution instead of trusting
> their money. This doesn't have anything to do with industry, but
> everything to do with evolution. The extremes of the species test
> every direction before the masses follow.

Good point, maybe we're getting at the same idea here, but I'm  
attacking (or trying to) the "how do you make the in-between better,  
permanently" question.

> As long as people are willing to throw money at their problems, there
> will be industry. It is up to the industry to get along with the
> community. You see this happening now in the security industry,
> however there are those who fear change and will do anything they can
> to stop it. This fear will either cripple or harbor this new found
> human nature regarding our technology.

Fear stops a lot of things.  Definitely true.  I would be afraid to  
dive into a project like say, Asterisk -- even with my many years of  
telco background and knowledge/experience, because I would be afraid  
that it would "eat me alive"... now on the opposite side of that  
coin, I could see someone with a passion for it, really burning  
themselves badly but adding great value to the project.  (In fact,  
watching some of the mailing lists, there are already people doing  
that.  Whether or not they'll realize any long-term personal gain for  
doing so, and by that I mean any kind of gain -- even if their  
motivation is just "to make things better" -- remains to be seen.

Free World Dial-up is another example.  Great idea, neat project...  
and recently they finally had to come up with a plan that would "pay  
the bills"... and then carefully explain to their user-base that the  
"free" isn't going away, but there's some "better than free" services  
to be had if one pays a bit...

>> I know it's possible, and fully agree.  But I think most companies  
>> and
>> organizations using computers really don't understand the COSTS  
>> involved.
>
> I would say, anyone presenting a guaranteed security against all
> automated attacks will receive the ears of many. It is an
> organizations desire to cling to the technology they have already
> adapted which forces compromises such as multi-leveled authentication
> and unnecessary overhead.

Hmmm... here we might disagree.  Sometimes I think the unnecessary  
overhead isn't necessary from a technical standpoint, but it is  
needed badly for people's acceptance... managers without a clue find  
RSA keyfobs and multiple layer VPN's comforting because there's  
something they can see and hold and understand there, versus say a  
just-as-secure OpenVPN tunnel that would cost many factors less.   
Technically, NO difference in security if both are implemented  
correctly -- but that little keyfob in their hands works just like a  
real "key" that they lock their house up at night with -- but faced  
with a decision to build or not build some new project, they  
immediately also assume that the only way to do "security" is to  
continue the -- shall we call it "tradition", since that seems to be  
the emotion that's at play here -- of using an expensive keyfob- 
enabled Cisco PIX (complete with brand-loyalty, perhaps) than  
trusting that the OpenVPN box that cost $500 to implement is "just as  
good".

> I find 2 consistencies in all the compromised systems I come across.
>
> #1. They are always fairly out of date.... this does not cost money  
> to solve
> #2. They never have any decent form of memory protection.... This too,
> only requires a little bit of expertise to setup.

Same experience here.  No policy/procedure for maintaining legacy  
system security.  However... there's a catch here.  I've seen  
business systems that could NOT be patched/upgraded, because the  
vendor "moved on" to the next version.  The original version works  
FLAWLESSLY for the organization's purposes, but suddenly finds itself  
insecure in an ever-more-hostile network environment.  Deploying SSH  
on Solaris 8 might be a so-so example of this... Sun as a vendor  
won't offer up "official" Solaris 8 SSH packages, but they're "built- 
in" and supported on Solaris 9 and 10.  Forced upgrades.  But it  
happens in the non-commercial open-source realm, too.  I just can't  
think of a great example right at the moment.

> There is no need at all to be so paranoid as to adopt legacy
> technologies to stay secure.
> Fear feeds that which is subject to fear.

Maybe that's REALLY a good root-cause type of question -- how to get  
people less fearful of computer security.  Very interesting question,  
that probably leads to even more questions.

It's fun to think about all of it from the big-picture vantage point,  
but in the trenches it so often gets convoluted.  An example would be  
mandated port-scanning... if the software says "medium" threat  
because telnetd is enabled on a machine, even if no one EVER uses  
it... is it really a "threat"?  To many "security companies" the  
answer today is... yes.  Government agencies too.  If it's open and  
listening, it's a "threat" even if the logs clearly show that no one  
ever accesses the machine that way, and there are no exploits for the  
daemon.... (telnetd is a bad example, it has had problems, but then  
again, so has SSH).

--
Nate Duehr
nate at natetech.com