Re: Security Industry Under Scrutiny: Part One

[White Vampire <whitevampire () mindless com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, Nov 10, 2002 at 09:35:24PM -0500, sockz loves you(sockz () email com) wrote:
> Dear Len,

        I suppose I largely agree with Len.

> your argument is self-sealing.  it lacks substance.  if most of the attacks on 
> systems are coming from script kiddies, who have found these holes NOT by
> themselves but from the security industry and all the 'proof of concept' tools
> that come out of it, then how does full disclosure protect the interests of the
> admin?
>
> it doesn't.

        Incompetency does not work as an argument against a viable
method.  Hell, a guy might not know how to cook a hamburger properly at
MCDonalds, it doesn't mean they're all going to make you sick.

        (Let's hear it for stupid metaphores.)

        As far as I am concerned, if a person cannot properly do their
job, it is their fault.  Eventually, someone is going to get a clue, and
if that means eliminating jobs for those incapable of performing them,
so be it.

        The truth is the most important subject here.  The future of the
Internet is somewhat incertain, as it is.. everybody wants to regulate
everything.  It's somewhat sad.

> take the recent attacks on XMB by Mike Parniak and his so called "hacking crew".
> this script kiddy developed a tool based on a well known md5 exploit in XMB v1.6
> Magic Lantern that gives a user admin priviledges.  he then distributed that 
> tool to lesser skilled script kiddies and the end result was a week of rage 
> against XMB boards around the web (oops did i just say that aloud?).  only about
> 20% of the boards had been patched.  and i restate: the bug had been in public
> circulation for a long while and had even been in full view on XMB's software 
> update page.

        The emphasis on poorly implemented Web applications on security
lists these days is annoying.

> it even appeared on vuln-dev in mid _May_ this year!

        Perhaps that speaks of the userbase of that software, rather
than a general consensis of Internet practices.  I would also suggest
the people who develop the aforementioned software implement a security
or announcement list for their software.  I would hope that they at
least update the Web site.  If a person runs outdated software, that is
their fault.

> how did full disclosure work in this case?  by your argument, Len, 6 months
> would have been more than enough for all the board admins to update their 
> system (all that was required was to change a file name).  why such a low
> success rate?  why didn't the security industry's system work in this case (and
> so many others)?

        I propose a new government agency mandating access for all
Internet accessible machines across the world.  This agency will be
responsible for updating software without notifying the owners, thus
continuing a security blanket for the world.

        Oh yeah, and the airlines are safe now.  Really, they are.

Regards,
- -- 
\   | \  /  White Vampire\Rem                |  http://gammaforce.org/
 \|\|  \/   whitevampire () mindless com        |  http://gammagear.com/
"Silly hacker, root is for administrators."  |  http://webfringe.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.5 (GNU/Linux)

iD8DBQE9zyDY3+rxmnEDyl8RAkRnAJ4x0zMV2+AvJVAebA4weduYcsVC7gCffYU0
xsPfWjL2a5dzQB4Ru4Klgjw=
=md6C
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html