Loki wrote:
>Ok, this is going to cause a lot of flames, but I really don't care.. :)
>I attended Defcon and Mr. Marcus Ranum made a complete ass out of himself
>by insulting close to 75% of his customer base with his choice for
>discussion...
>so I would also not be surprised if their will be an influx of postings to
>BUGTRAQ concerning new NFR vulnerabilities aimed exactly for that reason.
Golly gee, way to make points, Loki. Model of Defcon
professionalism, you are. "Gray hat" hackers are 75 percent of the
corporate network managers who are likely to buy a commercial IDS,
huh? Wonder what planet you come from.
Fire away at NFR;-) I can't think of anything Marcus Ranum would
appreciate more than a lot of constructive criticism aimed at the NFR
IDS. I presume he would use it -- as the best vendors do -- to polish,
patch, and upgrade his product as quickly as possible. (NFR's adaptable
n-code makes that very quick;-)
>>If Marcus Ranom wants to diminish the amount of "gray-hat"
>>security professionals out there then he is asking for a world of
>>textbook-bred security admins who have no "real world"
>>experience in security at all, only which has been taught to them at
>>a UCExtension class..
Horseshit. Hackers aren't necessarily uncaught criminals, and
"real world" experience doesn't have to leave you with either a felony
record or a dirty hat.
Marcus is a friend of mine; I'm also a consultant to NFR -- so I'm
no model of objectivity either -- but any veteran on this List knows that
Marcus is one of the sizable cadre of pros on this list who could out-code
and out-smart any geek who drags around a label like "gray hat."
Most of them could certainly break into a frighteningly large
percentage of deployed systems -- a hell of a lot faster than your typical
Defcon attendee -- but relatively few of them got those skills committing
computer crimes.
(I'm not saying folks can't come in from the Cold. I believe in
rehab and redemption. I *am* saying that people who think -- today -- that
they can spend part of their time hacking into other people systems or
networks, while at the same time pretending to be "security professionals,"
are dumb and naive hypocrites.)
I didn't attend this Defcon, but from the reports I saw it sounded
like Marcus merely told the assembled geeks and FBI agents what he has
been saying to a lot of people over the past two years.
Master Ranum can speak for himself, but here is my brief pitch on
the theme:
The Sacrifice of Innocents must cease. The irresponsible "full
disclosure" zealots -- those committed to rapid, complete, and immediate
disclosure of security vulnerabilities in widely-used products (often with
click 'n kill "attack code" gratuitously tacked on to the mailing) --
should be forced to take at least partial responsibility for damages that
result directly from their actions.
The price is too high today. The potential for a virtual bloodbath
is too great. The routinely explosive growth of the Net connects thousands
of new networks and hundreds of thousands of PCs weekly -- many with
minimal defenses and no security savvy -- so the scale of the potential
damage gets steadily ratcheted up, more than proportionately.
We need to forge a new convention among IT security professionals
which brings some higher standard of responsibility to bear on how
vulnerability disclosures are managed -- a professional creed which
effectively ostracizes and condemns those who (often quite sanctimoniously)
aid and abet the vandals.
How did we reach the point where it is now acceptable practice to
use such "poison well" tactics to tout competitive products, to grandstand
for headlines, or to punch up advertising revenues for commercial
"Infosec" websites?
This is *not* to say that vendors should continue to escape legal
liability and responsibility for shoddy workmanship and poor or
non-existent QA. That's a separate political problem, and a serious one.
This is *not* to deny that those who discover these
vulnerabilities are doing marketplace, all of us, an important public service.
This is *not* to suggest that product vulnerabilities should not
be documented and published.
What I've heard Marcus say is no more than what I think most
infosec professionals believe: A vendor should be given a reasonable, if
limited, opportunity to validate a threat, patch it as necessary,
and properly QA a patch -- and, if necessary, reach out to warn its
customers -- before a serious vulnerability is publicly documented to the
degree that any half-wit script-kiddie could use it to cause widespread havoc.
(From what I can see, it seems that Dug Song, John McDonald, and
Tom Lopatic did everything just about right when they reportedly gutted
Checkpoint's FW-1 at Defcon. With the apparent cooperation of the three,
Checkpoint had Service Pack 2 ready to address the vulnerabilities they
described when they made their presentation -- and Dug said the full report
on their research would not be published for a week or two.)
When we are talking about going beyond publishing the details of
a new threat or vulnerability -- when we are talking about the gratuitous
distribution of executable "exploit code," purposely turning a security
problem into a disaster to stick it to the vendor as deeply as possible --
I think different rules apply.
I think corporate entities and individuals who irresponsibly
distribute either virus/worm code, or "exploit code," should be held
accountable for damages that can be traced back to their distribution.
These guys are part of the problem, not part of the solution.
The sacrifice of innocents is not a moral option -- nor is it a
viable political tactic to apply maximum pressure vendors. (Even if it works.)
Personally, I'm surprised we haven't yet seen a few
carefully-targeted civil lawsuits already. (Ideally, from some well-heeled
corporate victims which suffered real losses because some "full disclosure"
nut felt it was meGacool to attach "exploit code" to some overnight
announcement of a undisclosed major vulnerability on a moderated List.)
Equally likely, unfortunately, will be state and US federal
legislation that will hamper useful and necessary work in vulnerability
research. Neither the State nor the public is gonna put up with this gray
hat bullshit as millions of jobs and billions of dollars are placed at risk
by such antics.
Surete,
Vin
Vin McLellan
The Privacy Guild
Chelsea, MA, USA
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
