[clue-talk] hrmmm

Tue Jul 31 14:38:39 MDT 2007

Matt Poletiek wrote:
>> Those who really care about the solution need lots of time and money
>> to figure it out, thus sell out and become "the security industry".
> 
> Time yes, money for an internet connection maybe. Computers are available for
> free to the resourceful.

Yes, but to do in-depth security research, you need to get paid to do 
so.  Only a small percentage of folks are going to work on this stuff in 
their spare time, with the level of complexity we're talking about nowadays.

There are some out there that do it for fun, but auditing say, the Linux 
kernel code tree for every possible buffer overflow?  Not going to 
happen unless it's a job someone's paid to do.

>> Do you really think SANS wants to fix the problems permanently now
>> that they're making a wicked living off of them?
> 
> No, and thats the problem of the profit motive. However, most software companies
> outsource their security audits and solutions.

To whom?  Those companies also have a fixed interest in the problems 
never being fixed, or else there would never be a reason to audit in the 
first place.

In other words, there's no economic incentive to fix the root-cause 
problems.  Well, there is -- but companies don't see that as effective 
as just paying someone 1/10th of that price to give them a piece of 
paper that says they were "audited" and put the liability on that other 
company.  The real liability falls back on their customers, since it's 
usually personal information that's stolen these days, for purposes of 
identity theft and credit card fraud (same thing).

>> Patches are forever, really fixing the software puts you out of a
>> job.
> 
> This is true. However I see patches is consistent no matter what your motive,
> commercial or open source. This is the evolution of code. Just like breaking
> into a house, the level of security technology forever increases.

The "evolution" has been going on for a couple of decades now.  When 
will it "evolve" into something a magnitude better?  Where's the fiscal 
incentive to do so?  Who's working on it?

(Those are the key questions... "evolution" doesn't take place unless 
there's a reason to do so that's stronger than the reasons not to do so.)

>> They're just using horribly insecure products at the core level.
> 
> Yes, and the problem with the industry is the lack of this understanding.
> Instead of bothering with the 'core' levels, the OS levels in my opinion,
> they add layers of security on top. Multiple layers of authentication come
> to mind.

Right.  But do they do that because of silly little catch phrases and 
misconceptions like "virus" and "trojan horse"?  Could the industry 
overall do a better job of explaining what's REALLY wrong, instead of me 
seeing late night commercials for "does your computer have a worm? 
(ewwww!)" targeted at and feeding off of, the clueless?

> I personally believe security is possible. You will never defeat the determined
> however you can prevent yourself from being prey from those looking for a quick
> and automated hack. There will always be scavangers amongst the pack.

I know it's possible, and fully agree.  But I think most companies and 
organizations using computers really don't understand the COSTS involved.

If they did, they might have stuck with filing cabinets and paper.  And 
the industry surely doesn't have any incentive to want THAT!  (GRIN)

Nate