[clue-talk] hrmmm

Wed Aug 1 11:50:37 MDT 2007

I think your bell curve is more a cliff. :)

Whoever wrote the hacker manifest has a sense of humor:

Recognition by peers,  ultimately  being  called  a "hacker", was the highest retribution.

I never thought about going to Defcon.  Might be interesting sometime, if it's not too expensive.

 -------------- Original message ----------------------
From: "Matt Poletiek" <chill550 at gmail.com>
> Great Conversation. I think we are agreeing on a lot of the same points.
> 
> When I picture the bell curve in my mind I see the technologists who
> understand security in the middle and the consumers and management on
> the left and the right when you look strictly at the security
> industry.
> 
> What I fear is the limited progress made by both community and
> industry due to the fear of the knowledge a few people may have. We
> need to harbor these great thinkers and make them work for us instead
> of allowing them to sell their 0day exploits.
> 
> The fear in computer security subsides with education. Although, you
> will never be able to teach or convince a student in the mindset that
> money will solve his problem.
> 
> Well im going to pack for Defcon, too bad no one else will be coming
> or is man/woman enough to admit it.
> 
> You all should check this out in the meantime.
> 
> http://www.toxyn.org/free-hacker-manifest.html
> 
> On 8/1/07, Nate Duehr <nate at natetech.com> wrote:
> >
> > On Jul 31, 2007, at 4:51 PM, Matt Poletiek wrote:
> >
> > >> Yes, but to do in-depth security research, you need to get paid to do
> > >> so.  Only a small percentage of folks are going to work on this
> > >> stuff in
> > >> their spare time, with the level of complexity we're talking about
> > >> nowadays.
> > >
> > > This kind of mind set is limiting of human potential. Resources are
> > > obtained in more than one way and this is often the case.
> >
> > Okay, that's a fair discussion point.
> >
> > >> The "evolution" has been going on for a couple of decades now.  When
> > >> will it "evolve" into something a magnitude better?  Where's the
> > >> fiscal
> > >> incentive to do so?  Who's working on it?
> > >
> > > If you follow mailing lists like bugtraq and full disclosure, hell,
> > > even the milw0rm rss. You will see that more often then not the idea
> > > of a security hole is more often than not presented by a nobody or
> > > someone who wishes to remain anonymous, this is due to societies fear
> > > of this knowledge.
> >
> > That comment could spin a whole new topic of discussion:  Why are
> > people afraid of computers?  Is it because people aren't logical, or
> > because of interesting human interaction problems with people "in the
> > know" and people who "don't have a clue".  If those "in the know"
> > could openly describe how they "got there" -- those that have either
> > good training (nuture) or good intuition (nature) about how computers
> > actually REALLY work, what percentage of those who "don't have a
> > clue" would attempt to climb the same mountain to gain the same or
> > similar knowledge levels?  Would they?
> >
> > I contend that the fact that paid groups like SANS and others exist
> > because people don't want to climb that knowledge mountain alone,
> > but... if the person only sits and absorbs what a good training
> > organization like SANS presents (yes, I think they have very good
> > material and courses), and they don't take a personal interest of
> > some sort... the knowledge will only take them so far.
> >
> > > After the idea is presented, proof of concept code
> > > is developed by again, either a nobody or someone who wishes to remain
> > > anonymous. Their are a bold few well known names, but they do not
> > > alone drive the evolution of the code. Code, in a sense, is an ever
> > > evolving language of strictly objective, linear logic. When a machine
> > > is exploited, it is simply executing true logic which was not foreseen
> > > by the official developer.
> >
> > Agreed.  And no single developer will ever see all the holes.  But...
> > where's the effort up-front (and the monetary and/or moral deep
> > emotional drive) to work with others to make sure one's code doesn't
> > "suck" when it comes to security?  I don't believe that forced
> > "certifications" that someone else reviewed your code is a viable
> > option in anything except highly-funded environments.   And the in-
> > between is where most people live, looking at a typical bell-curve.
> > So how do you push "security" down into the middle of the bell-
> > curve?  That's the interesting (and maybe unanswerable) question that
> > drives my curiosity.
> >
> > > This additional logic forces future generations to reconsider, hence
> > > the evolution. This occurs in both the commercial and open source
> > > communities, though much quicker with more efficiency in the latter.
> >
> > So it's claimed.  I'm not going to go into that debate here, but I
> > can point out commercial products that evolved far more than the open-
> > source community could evolve them... an example would be Asterisk.
> > It's laughably bad at telco when compared to a Lucent #5ESS Central
> > Office switch, but that doesn't mean it doesn't have its place.  At
> > the extremes (and Asterisk and a CO switch are about as far apart on
> > the bell-curve as two "products" get), you see people getting paid
> > large sums of money on the high-end to get things done, and on the
> > low-end you see volunteers toiling away on a "pet" project.
> >
> > But the "in the middle" projects are the ones most people use for
> > things... and many such projects seem to stall out from under their
> > own weight as volunteers get over-extended for what's "reasonable"
> > amounts of time and yet there's no funding to pay someone to pick it
> > up and run with it.  In the middle-ground of the bell curve for
> > software seems to always be the "most dangerous" when it comes to
> > various design issues, security included.
> >
> > >> Right.  But do they do that because of silly little catch phrases and
> > >> misconceptions like "virus" and "trojan horse"?  Could the industry
> > >> overall do a better job of explaining what's REALLY wrong, instead
> > >> of me
> > >> seeing late night commercials for "does your computer have a worm?
> > >> (ewwww!)" targeted at and feeding off of, the clueless?
> > >
> > > Not the Industry, but the community. Humanity separate of capitalism
> > > and profit motive. It is the hobbyists that create the industry, it is
> > > the industry which mass produces the technology. Those who really care
> > > will find the need to understand the solution instead of trusting
> > > their money. This doesn't have anything to do with industry, but
> > > everything to do with evolution. The extremes of the species test
> > > every direction before the masses follow.
> >
> > Good point, maybe we're getting at the same idea here, but I'm
> > attacking (or trying to) the "how do you make the in-between better,
> > permanently" question.
> >
> > > As long as people are willing to throw money at their problems, there
> > > will be industry. It is up to the industry to get along with the
> > > community. You see this happening now in the security industry,
> > > however there are those who fear change and will do anything they can
> > > to stop it. This fear will either cripple or harbor this new found
> > > human nature regarding our technology.
> >
> > Fear stops a lot of things.  Definitely true.  I would be afraid to
> > dive into a project like say, Asterisk -- even with my many years of
> > telco background and knowledge/experience, because I would be afraid
> > that it would "eat me alive"... now on the opposite side of that
> > coin, I could see someone with a passion for it, really burning
> > themselves badly but adding great value to the project.  (In fact,
> > watching some of the mailing lists, there are already people doing
> > that.  Whether or not they'll realize any long-term personal gain for
> > doing so, and by that I mean any kind of gain -- even if their
> > motivation is just "to make things better" -- remains to be seen.
> >
> > Free World Dial-up is another example.  Great idea, neat project...
> > and recently they finally had to come up with a plan that would "pay
> > the bills"... and then carefully explain to their user-base that the
> > "free" isn't going away, but there's some "better than free" services
> > to be had if one pays a bit...
> >
> > >> I know it's possible, and fully agree.  But I think most companies
> > >> and
> > >> organizations using computers really don't understand the COSTS
> > >> involved.
> > >
> > > I would say, anyone presenting a guaranteed security against all
> > > automated attacks will receive the ears of many. It is an
> > > organizations desire to cling to the technology they have already
> > > adapted which forces compromises such as multi-leveled authentication
> > > and unnecessary overhead.
> >
> > Hmmm... here we might disagree.  Sometimes I think the unnecessary
> > overhead isn't necessary from a technical standpoint, but it is
> > needed badly for people's acceptance... managers without a clue find
> > RSA keyfobs and multiple layer VPN's comforting because there's
> > something they can see and hold and understand there, versus say a
> > just-as-secure OpenVPN tunnel that would cost many factors less.
> > Technically, NO difference in security if both are implemented
> > correctly -- but that little keyfob in their hands works just like a
> > real "key" that they lock their house up at night with -- but faced
> > with a decision to build or not build some new project, they
> > immediately also assume that the only way to do "security" is to
> > continue the -- shall we call it "tradition", since that seems to be
> > the emotion that's at play here -- of using an expensive keyfob-
> > enabled Cisco PIX (complete with brand-loyalty, perhaps) than
> > trusting that the OpenVPN box that cost $500 to implement is "just as
> > good".
> >
> > > I find 2 consistencies in all the compromised systems I come across.
> > >
> > > #1. They are always fairly out of date.... this does not cost money
> > > to solve
> > > #2. They never have any decent form of memory protection.... This too,
> > > only requires a little bit of expertise to setup.
> >
> > Same experience here.  No policy/procedure for maintaining legacy
> > system security.  However... there's a catch here.  I've seen
> > business systems that could NOT be patched/upgraded, because the
> > vendor "moved on" to the next version.  The original version works
> > FLAWLESSLY for the organization's purposes, but suddenly finds itself
> > insecure in an ever-more-hostile network environment.  Deploying SSH
> > on Solaris 8 might be a so-so example of this... Sun as a vendor
> > won't offer up "official" Solaris 8 SSH packages, but they're "built-
> > in" and supported on Solaris 9 and 10.  Forced upgrades.  But it
> > happens in the non-commercial open-source realm, too.  I just can't
> > think of a great example right at the moment.
> >
> > > There is no need at all to be so paranoid as to adopt legacy
> > > technologies to stay secure.
> > > Fear feeds that which is subject to fear.
> >
> > Maybe that's REALLY a good root-cause type of question -- how to get
> > people less fearful of computer security.  Very interesting question,
> > that probably leads to even more questions.
> >
> > It's fun to think about all of it from the big-picture vantage point,
> > but in the trenches it so often gets convoluted.  An example would be
> > mandated port-scanning... if the software says "medium" threat
> > because telnetd is enabled on a machine, even if no one EVER uses
> > it... is it really a "threat"?  To many "security companies" the
> > answer today is... yes.  Government agencies too.  If it's open and
> > listening, it's a "threat" even if the logs clearly show that no one
> > ever accesses the machine that way, and there are no exploits for the
> > daemon.... (telnetd is a bad example, it has had problems, but then
> > again, so has SSH).
> >
> > --
> > Nate Duehr
> > nate at natetech.com
> >
> >
> >
> > _______________________________________________
> > clue-talk mailing list
> > clue-talk at cluedenver.org
> > http://www.cluedenver.org/mailman/listinfo/clue-talk
> >
> 
> 
> -- 
> Matthew Poletiek
> www.chill-fu.net
> _______________________________________________
> clue-talk mailing list
> clue-talk at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-talk