Dailydave mailing list archives
Re: Re: Hacking's American as Apple Cider
From: pageexec () freemail hu
Date: Wed, 21 Sep 2005 17:54:16 +0200
On 20 Sep 2005 at 19:38, Marcus J. Ranum wrote:
pageexec () freemail hu wrote:i thought it was pretty obvious as we have an analog situation with cryptography. and you are not advocating a worldwide ban on public crypto research and development, are you?Like most analogies, it fails if you pull it far enough.
let's see if it really does ;-).
The idea of making cryptographic designs public is because it has been determined that it's fruitless to try to keep them secret.
has it? the german gov has developed a block cipher called LIBELLE, i don't remember having ever seen it discussed in public, maybe you have? and it's being used to encrypt NATO-SECRET and german STRENG GEHEIM level info as we are speaking. much like we still have sw vendors who believe in keeping their source private, in part hoping that their code will be less analyzed and exploited. on the other hand, we can see that public crypto research has resulted in a few quite resistant algos, much like hacking on open source systems has improved their security a lot. in both cases the same kind of processes led to the same consequences.
So it's easier to start off with them public because it lowers the barrier for an expert to get involved in analyzing them.
s/start off with them public/publish the source code/ and it's still true - the analogy works just perfectly.
But the important difference between crypto research and hacking is that it's rare that a new crypto discovery is going to suddenly make a vast number of users become vulnerable.
i think you're comparing apples to oranges. the analogy of crypto research (discovery and disclosure) in hacking is not "unleash a worm on the unsuspecting internet". rather, it's "look for and publish the vulnerability". now, users don't become vulnerable because of disclosure (i know that the 'responsible' disclosure guys like to mislead the public with that, no idea why you picked up their line...), they become vulnerable by running buggy apps (or using weak crypto in the analogy). whether the public at large is aware of the bugs or not is a 'quantity' issue, not that of 'quality'. and once you get owned, you don't really care if there was this ueber secret agency that did it or the whole world could have done it, you were vulnerable and had to learn it the hard way. so no, there's no such difference between crypto and hacking, in either case public disclosure of a flaw doesn't change the fact that something was vulnerable/weak, it only makes the users aware of the fact. let's also look at the orange side. what happens after disclosure? according to you, there would be a difference between crypto and hacking. i state (again) that there isn't any qualitative difference, there's only a quantitative one, if at all (which is not enough to invalidate an analogy). even the quantitative difference is questionable. i guess when you talked about 'vast number of users' you were probably thinking of the millions of Windows boxes owned by the worm/backdoor/etc du jour. what do you think about the break of WEP of a few years ago? didn't that also expose (and still does) 'vast number of users'? see, crypto research and disclosure can cause just as many problems as hacking. you're probably thinking now that this is just the 'rare' case and doesn't invalidate your point. well, it does because 'rare' is a relative term and you're again comparing apples to oranges. i hope we agree that: 1. our crypto knowledge is much more evolved than our 'how to write bugfree code' knowledge (even today, let alone a few years ago) 2. we have much more (internet exposed) sw deployed than crypto algos (i mean the kinds of sw/algos, not the boxes that run them) as a consequence we're much more likely to deploy buggy apps than we are to deploy flawed crypto. it will take many more years (i'm being optimistic probably) until sw development catches up with where crypto stands today. so the fact that serious crypto flaws are rare is not because crypto is somehow fundamentally different from finding/exploiting sw flaws, but because they're at different stages of 'evolution'. the other reason for this perception is that the internet makes it a lot easier to connect victims and attackers, whereas with crypto you need access to ciphertext, something that's often not as readily available as an internet connection (although wardrivers would disagree with that). and i say this with a certain uneasyness as i don't actually know how long the MD5 weaknesses have been known to and potentially exploited by certain people, so maybe we actually have (or will have) a full quantitative analogy as well, we just haven't seen it on the news yet. anyway, i'm sure that were someone to figure out a polinom time complexity integer factorization algo, half the world would be up in arms to prevent its disclosure due to the disruption it would cause (the other half favouring full and open discussion). in short, i don't see any difference here with respect to hacking related disclosures and consequences.
And, lastly, you neglect to mention that most of the interesting code-breaks in history were kept secret by the discoverers for quite some time.
how's hacking different? let me guess, you don't know what a 0-day is. or want to forget about it, like the 'responsible' disclosure people like to do (because it invalidates their arguments).
Indeed, most of the interesting research in code-making was kept secret by the discoverers for quite some time. You still don't know how Type-1 crypto works, and if you do, you'll just smile and nod. :)
is it any better than LIBELLE? i'm all ears ;-)
in both hacking and crypto we're finding and exposing flaws in someone's thinking (or lack thereof, as it is often the case), and i don't see why that'd be the dumbest idea. unless you want to live in a dumb world, that is.Your analogy fails because you're talking about popular myths, not reality.
heh, careful with those ex cathedra statements.
Yes, there is an active community that is doing public cryptographic research and they do it openly. They are just a pale shadow of the classified research that goes on and has been going on for a lot longer.
first of all, how do you *know* that they're only a pale shadow of classified research? i mean, below you state that you don't *know* whether classified hacking research even exists let alone what they have achieved, how can you *know* then the same about crypto? something tells me that you can't have it both ways. second, what makes you think that academic 'hacking research' is not a pale shadow of what you find in the underground? see, in both worlds (crypto/hacking) you have people who do research (exposing flaws in someone else's thinking) and in both worlds some of these findings see the light of the day, some don't. where's the difference again?
I actually hope that your analogy is NOT good - that there are no deeply classified hacking research groups inside various national intelligence forces.
methinks you're living in your own myth here. of course many countries run such programs under various disguises (and i 'know' this as much as you 'know' the same about crypto ;-), it's in their very interest to stay informed and in control in cyberspace (nothing different from crypto, i might add). moreover, non-public hacking research has traditionally not been restricted to state sponsored groups. [snipped long explanation as i didn't see what was pointed out as the difference between hacking/crypto, feel free to restate it in other terms i can understand.]
on the 'default permit' issue: it is not the dumbest idea, it is the only way that can scale in systems. take a (not exactly big by any measure) company with 1000 users and 1000 executable files that these users need. that's an access control matrix with a million elements.You're assuming an enterprise with 1000 users each of which has a 1000 individual executable load-out? That'd be dumber than dumb.
i guess you made the same mistake as another poster, please check out http://marc.theaimsgroup.com/?l=dailydave&m=112670062000166&w=2 for the explanation of 'executable files'. and the question about a+x stands too ;-).
Current thread:
- Re: Default Deny on Executables, (continued)
- Re: Default Deny on Executables miah (Sep 14)
- Re: Default Deny on Executables Andrew R. Reiter (Sep 14)
- RE: Default Deny on Executables El Nahual (Sep 14)
- Re: Default Deny on Executables Dave Aitel (Sep 14)
- Re: Default Deny on Executables Andrew R. Reiter (Sep 14)
- Re: Default Deny on Executables Joel Eriksson (Sep 14)
- Re: Default Deny on Executables Blue Boar (Sep 14)
- Re: Re: Hacking's American as Apple Cider Jason Syversen (Sep 20)
- Science? (WAS: Hacking's American as Apple Cider) Barrie Dempster (Sep 21)
- RE: Re: Hacking's American as Apple Cider Paul Melson (Sep 12)