Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-05 Thread Steven M. Christey 

On Tue, 27 Feb 2007, J. M. Seitz wrote:

> Always a great debate, I somewhat agree with Marcus, there are plenty of
> "pimps" out there looking for fame, and there are definitely a lot of them
> (us) that are working behind the scenes, taking the time to help the vendors
> and to stay somewhat out of the limelight.

Do the people who write the books to avoid the vulns, sell the tools, and
give talks at conferences stay out of the limelight as well?  What about
all those podcasts?  They should be discounted too, since they're clearly
pimping something.  They must have ulterior motives.  Don't get me started
on those rabble-rousers who complain about voting machine security.

Not that I don't have issues with how disclosure happens sometimes, but
the anti-researcher sentiment that castigates them based on "looking for
fame" by people who are themselves "famous" strikes me as a bit
hypocritical.  Why do we know that Marcus designed the White House's first
firewall?  'cause he told us, that's why.

We're very lucky that assumed fame-hunters like Cesar Cerrudo and David
Maynor have decided that they won't bother telling the vendor about vulns
they find because of all the trouble it gets them into.  It's quite
unfortunate that Litchfield has almost single-handedly dared to question
Oracle's claim that it's unbreakable.  Perhaps we would prefer that these
pimpers stop giving us disclosure timelines that show that they notified
vendors about issues months or YEARS before the vendors actually got
around to fixing them.  We can go back to security through obscurity, the
old fashioned way, by lawsuits and threats.  Like what happened at Black
Hat last week, but with less press.

Basically, I have an issue with the criticism of this aspect of researcher
"pimpage" when it's usually the pot calling the kettle black, when most of
us are getting paid one way or another for this work, and there's a
pervasive inability to recognize that many such researchers feel forced to
disclose when the vendor still does nothing.  And many researchers aren't
in it for the fame, which is the assumption that the pimpage argument is
based on.

Sorry, must be a case of the Mondays combined with this building up over a
year or two.  The vuln researchers are the only parts of this business who
get no respect.

- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Blog posts on Ideas for a Partial Trust Managed Code World

2007-03-05 Thread Dinis Cruz 

The posts linked bellow are a variation of an email that I sent to 4 senior
technical Microsoft employees (two from .NET Security and two from the MS
Office security)  before I had a lunch meeting with them last Friday (2nd
March 2007)

As with all my previous meetings/lunches with Microsoft employees, it was an
interesting intellectual discussion but with no tangible results or
actionable actions since they (and Microsoft) don't believe that Partial
Trust Managed Code is a valid solution/approach. I also think that I need to
speak with their bosses, but unfortunately their bosses are not talking to
me


  - On Microsoft's lack of Partial Trust Managed Code (PTMC) focus and
  ideas for the
future-
In this post I start by doing a quick analysis for the current 'head
in
  the sand' response, and defend that in order for the changes to have real
  impact we will need impovements in 6 areas:  Technological, Political,
  Strategical, Economical, Social and Educational

  - 'Security Awareness Modes' & the 'day Microsoft
changes'-
Here I introduce an interesting concept of 4 Awareness Modes which I
think
  are good ways to describe company's awareness to the security issues that
  they face. The 4 modes are: 'Blissful ignorance', 'The Patching
  Dance', 'The SDL Dream and 'The Alignment'

  - Roadmap to a Partial Trust Managed Code
world-
here I propose a time-line for the migration from the current 'all
  unmanaged/Full Trust world'

And before you shot-down this ideas (which are not short term btw), please
propose solutions for protecting our assets from malicious code executed
under our (and the applications) run-time environments.

The bottom line is, that currently (and it seems in the future) our main
security defense mechanism is our ability to prevent malicious code from
being executed in our environments (and if you think this is easy to
prevent, just make a quick list of all the applications and plug-ins
(containing external code) that are currently running in your desktop,
servers and web environments)

Dinis Cruz
Chief OWASP Evangelist
http://www.owasp.org
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-05 Thread Stuart Moore 
Though I share Steve's sentiments on the anti-researcher bias, and I
agree with Gary's yin-yang conclusion, I really hate the question itself.

The disclosure question itself *presumes* that the current state of the
industry (defective products) is economically efficient.  The premise
absolves vendors *and* customers of any role or responsibility in
improving efficiency [I'm of the opinion that organic security would be
economically beneficial].

The question presumes that The Issue with vulnerabilities is either 
squelching the researchers (the researcher as pimp view) or promoting 
detailed disclosures (the researcher as super hero view).

I am much more interested in why vendors make defective products and why 
customers accept this level of quality, and lots of related questions.

So, in reference to Gary's "breaking story," why was the Gary McGraw
automaton not able to deal with the icy walk?  Is the severe structural
damage and hours of surgical correction more cost effective than what
any anti-ice protections would have cost?  Those are the Good Questions.
  Asking whether the disclosure of the icy exploit is good or bad is the
Wrong Question.

Stuart


-- 
Stuart Moore
SecurityTracker.com



Steven M. Christey wrote:
> On Tue, 27 Feb 2007, J. M. Seitz wrote:
> 
>> Always a great debate, I somewhat agree with Marcus, there are plenty of
>> "pimps" out there looking for fame, and there are definitely a lot of them
>> (us) that are working behind the scenes, taking the time to help the vendors
>> and to stay somewhat out of the limelight.
> 
> Do the people who write the books to avoid the vulns, sell the tools, and
> give talks at conferences stay out of the limelight as well?  What about
> all those podcasts?  They should be discounted too, since they're clearly
> pimping something.  They must have ulterior motives.  Don't get me started
> on those rabble-rousers who complain about voting machine security.
> 
> Not that I don't have issues with how disclosure happens sometimes, but
> the anti-researcher sentiment that castigates them based on "looking for
> fame" by people who are themselves "famous" strikes me as a bit
> hypocritical.  Why do we know that Marcus designed the White House's first
> firewall?  'cause he told us, that's why.
> 
> We're very lucky that assumed fame-hunters like Cesar Cerrudo and David
> Maynor have decided that they won't bother telling the vendor about vulns
> they find because of all the trouble it gets them into.  It's quite
> unfortunate that Litchfield has almost single-handedly dared to question
> Oracle's claim that it's unbreakable.  Perhaps we would prefer that these
> pimpers stop giving us disclosure timelines that show that they notified
> vendors about issues months or YEARS before the vendors actually got
> around to fixing them.  We can go back to security through obscurity, the
> old fashioned way, by lawsuits and threats.  Like what happened at Black
> Hat last week, but with less press.
> 
> Basically, I have an issue with the criticism of this aspect of researcher
> "pimpage" when it's usually the pot calling the kettle black, when most of
> us are getting paid one way or another for this work, and there's a
> pervasive inability to recognize that many such researchers feel forced to
> disclose when the vendor still does nothing.  And many researchers aren't
> in it for the fame, which is the assumption that the pimpage argument is
> based on.
> 
> Sorry, must be a case of the Mondays combined with this building up over a
> year or two.  The vuln researchers are the only parts of this business who
> get no respect.
> 
> - Steve

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___