On Apr 25, 2008, at 8:05 PM, Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > - -- Colin Keigher <[EMAIL PROTECTED]> wrote: > >> And yet the general public still unknowingly gets malware by >> downloading > applications that let them have free MP3s or whatever they want today. > Defcon can allow proper exposure on this subject. >> > > Proper exposure? > > I'm sorry, but if people don't already realize that their behavior > is already dangerous by reading the plethora of data, articles, > research, blogs, etc. that is available, some controversial contest > to write "stealthy" malware at DefCon ain't gonna do it either.
Honestly, I think it's sad that everyone is scared of talking about/ building/demo-ing 0day these days. 10 years ago you could go to any security/hacker con and several talks would be revealing some new vuln/ exploit. IMO, that's changed dramatically due to several reasons: - the increased value of 0day information has driven out the casual researcher and turned many of them into employees or consultants. Disclosing 0day at a conference rather than having a customer pay for it can have a big impact on someone's wallet. - The fear of being sued or arrested. Various laws and civil cases have had a chilling effect (see wendy seltzer's work on this) on the research community. Sklyerov et al spooked everyone and convinced many that it's just not worth the hassle anymore. - MS et al have hijacked the discussion of responsible disclosure. They have very carefully crafted the message in way that implies that if you don't agree with them and their definition of "responsible disclosure" then you must be against making things more secure and really be a malicious hacker at heart. I find the whole situation offensive. We are WAY too polite about discussing vulnerabilities in public right now. The ppl attacking us aren't ashamed to share information, and we shouldn't be either. Unfortunately, as a community, there's a self-imposed gag order in place that basically says "if you drop 0-day, you are evil" Just because you don't talk about something, doesn't mean it's not there... that's been a core tenant of security research for a long time. That's why we have concepts like full-disclosure and that's why many conferences were originally created. More power to the contest organizers for encouraging public discourse about the state of vulnerabilities. my 0.02. later bruce > > > $.02, > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.3 (Build 3017) > > wj8DBQFIEnGpq1pz9mNUZTMRAkgzAJwLylDgy287QAlcOJ123dph59Ck6wCgyBR5 > Jsmt3eFXSsoXbPg6AM5j7WI= > =SGd7 > -----END PGP SIGNATURE----- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
