[clue-talk] hrmmm

[Matt Poletiek]

>Yes, but to do in-depth security research, you need to get paid to do
>so.  Only a small percentage of folks are going to work on this stuff in
>their spare time, with the level of complexity we're talking about nowadays.

This kind of mind set is limiting of human potential. Resources are
obtained in more than one way and this is often the case.

>The "evolution" has been going on for a couple of decades now.  When
>will it "evolve" into something a magnitude better?  Where's the fiscal
>incentive to do so?  Who's working on it?

If you follow mailing lists like bugtraq and full disclosure, hell,
even the milw0rm rss. You will see that more often then not the idea
of a security hole is more often than not presented by a nobody or
someone who wishes to remain anonymous, this is due to societies fear
of this knowledge. After the idea is presented, proof of concept code
is developed by again, either a nobody or someone who wishes to remain
anonymous. Their are a bold few well known names, but they do not
alone drive the evolution of the code. Code, in a sense, is an ever
evolving language of strictly objective, linear logic. When a machine
is exploited, it is simply executing true logic which was not foreseen
by the official developer.

This additional logic forces future generations to reconsider, hence
the evolution. This occurs in both the commercial and open source
communities, though much quicker with more efficiency in the latter.

>Right.  But do they do that because of silly little catch phrases and
>misconceptions like "virus" and "trojan horse"?  Could the industry
>overall do a better job of explaining what's REALLY wrong, instead of me
>seeing late night commercials for "does your computer have a worm?
>(ewwww!)" targeted at and feeding off of, the clueless?

Not the Industry, but the community. Humanity separate of capitalism
and profit motive. It is the hobbyists that create the industry, it is
the industry which mass produces the technology. Those who really care
will find the need to understand the solution instead of trusting
their money. This doesn't have anything to do with industry, but
everything to do with evolution. The extremes of the species test
every direction before the masses follow.

As long as people are willing to throw money at their problems, there
will be industry. It is up to the industry to get along with the
community. You see this happening now in the security industry,
however there are those who fear change and will do anything they can
to stop it. This fear will either cripple or harbor this new found
human nature regarding our technology.

>I know it's possible, and fully agree.  But I think most companies and
>organizations using computers really don't understand the COSTS involved.

I would say, anyone presenting a guaranteed security against all
automated attacks will receive the ears of many. It is an
organizations desire to cling to the technology they have already
adapted which forces compromises such as multi-leveled authentication
and unnecessary overhead.

I find 2 consistencies in all the compromised systems I come across.

#1. They are always fairly out of date.... this does not cost money to solve
#2. They never have any decent form of memory protection.... This too,
only requires a little bit of expertise to setup.

There is no need at all to be so paranoid as to adopt legacy
technologies to stay secure.
Fear feeds that which is subject to fear.

On 7/31/07, Nate Duehr <nate at natetech.com> wrote:
> Matt Poletiek wrote:
> >> Those who really care about the solution need lots of time and money
> >> to figure it out, thus sell out and become "the security industry".
> >
> > Time yes, money for an internet connection maybe. Computers are available for
> > free to the resourceful.
>
> Yes, but to do in-depth security research, you need to get paid to do
> so.  Only a small percentage of folks are going to work on this stuff in
> their spare time, with the level of complexity we're talking about nowadays.
>
> There are some out there that do it for fun, but auditing say, the Linux
> kernel code tree for every possible buffer overflow?  Not going to
> happen unless it's a job someone's paid to do.
>
> >> Do you really think SANS wants to fix the problems permanently now
> >> that they're making a wicked living off of them?
> >
> > No, and thats the problem of the profit motive. However, most software companies
> > outsource their security audits and solutions.
>
> To whom?  Those companies also have a fixed interest in the problems
> never being fixed, or else there would never be a reason to audit in the
> first place.
>
> In other words, there's no economic incentive to fix the root-cause
> problems.  Well, there is -- but companies don't see that as effective
> as just paying someone 1/10th of that price to give them a piece of
> paper that says they were "audited" and put the liability on that other
> company.  The real liability falls back on their customers, since it's
> usually personal information that's stolen these days, for purposes of
> identity theft and credit card fraud (same thing).
>
> >> Patches are forever, really fixing the software puts you out of a
> >> job.
> >
> > This is true. However I see patches is consistent no matter what your motive,
> > commercial or open source. This is the evolution of code. Just like breaking
> > into a house, the level of security technology forever increases.
>
> The "evolution" has been going on for a couple of decades now.  When
> will it "evolve" into something a magnitude better?  Where's the fiscal
> incentive to do so?  Who's working on it?
>
> (Those are the key questions... "evolution" doesn't take place unless
> there's a reason to do so that's stronger than the reasons not to do so.)
>
> >> They're just using horribly insecure products at the core level.
> >
> > Yes, and the problem with the industry is the lack of this understanding.
> > Instead of bothering with the 'core' levels, the OS levels in my opinion,
> > they add layers of security on top. Multiple layers of authentication come
> > to mind.
>
> Right.  But do they do that because of silly little catch phrases and
> misconceptions like "virus" and "trojan horse"?  Could the industry
> overall do a better job of explaining what's REALLY wrong, instead of me
> seeing late night commercials for "does your computer have a worm?
> (ewwww!)" targeted at and feeding off of, the clueless?
>
> > I personally believe security is possible. You will never defeat the determined
> > however you can prevent yourself from being prey from those looking for a quick
> > and automated hack. There will always be scavangers amongst the pack.
>
> I know it's possible, and fully agree.  But I think most companies and
> organizations using computers really don't understand the COSTS involved.
>
> If they did, they might have stuck with filing cabinets and paper.  And
> the industry surely doesn't have any incentive to want THAT!  (GRIN)
>
> Nate
> _______________________________________________
> clue-talk mailing list
> clue-talk at cluedenver.org
> http://www.cluedenver.org/mailman/listinfo/clue-talk
>


-- 
Matthew Poletiek
www.chill-fu.net