Full Disclosure mailing list archives
Re: SMS Banking
From: "Craig S. Wright" <craig.wright () Information-Defense com>
Date: Thu, 11 Feb 2010 06:56:50 +1100
Tim, You stated You are officially on. to my challenge. I am arranging a contract. An attorney has been arranged for both the contract and the escrow. This will take a number of days. The amount has upped and there are a couple other aspects, but the initial framework holds. Stop trying to weasel. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd From: Thor (Hammer of God) [mailto:Thor () hammerofgod com] Sent: Wednesday, 10 February 2010 3:59 PM To: craig.wright () Information-Defense com; Valdis.Kletnieks () vt edu Cc: pen-test () securityfocus com; 'full-disclosure'; security-basics () securityfocus com Subject: RE: [Full-disclosure] SMS Banking Now youre talking. But first lets work up an actual contract. Neither of your components define anything. When you say that you are going to predict risk with your magic formula, do you mean if the software has vulnerabilities? That it can be hacked, or will be hacked? Be sure to define this properly and definitively if you end up saying that a system has a 1% change of being hacked, and I (or my auditors) hack it, would you claim you were right? I question if you can even define the parameters of this bet, much less apply your formulas, but well see. I also want to know what scale you plan to use. So far, even though Ive asked, youve not provided what the answer to your formula is, or how it will be applied. Im assuming, unless you are going to change your tune which I wouldnt doubt, that you wont look at the software code or threat models, but rather apply your formulas. I further assume that the loser will be financially responsible for the audits done my way. Im more than happy to take your money, and I look forward to doing so. Since one of your masters degrees is in law, Im assuming you can clearly define the terms of the contract. I will, of course, insist upon a contract, and I hope you wont mind that I have my own attorney look it over. Im not immediately trusting of the competence of one with a doctorate degree and multiple masters degrees who cant spell technology or experience correctly on his on-line CV. You are officially on. And Im looking forward to it. t From: Craig S. Wright [mailto:craig.wright () Information-Defense com] Sent: Tuesday, February 09, 2010 7:41 PM To: Valdis.Kletnieks () vt edu; Thor (Hammer of God) Cc: pen-test () securityfocus com; 'full-disclosure'; security-basics () securityfocus com Subject: RE: [Full-disclosure] SMS Banking I have a simple answer to this. Forget the debate, rhetoric is not a scientific method of determining truth. Thor wants a challenge, lets have one a real one and not one based on verbalisations, abuse and unfounded assertions. I suggest two components; 1 A selection of software products are tested using both processes, that is I use a model for the risk of these products, and Thor can make up whatever guesses he wishes. We model (or Thor guesses, pulls from a hat...) the vulnerabilities over a time period. The number of bugs in software as well as the risk are to be presented as a monthly estimate. 2 We model a few systems (say 50). We can use Honeypots (real systems set to log all activity without interference) run by an independent party to each of us. I use probabilistic models to calculate the risk. Thor does whatever he wants. Each of the predictions is published by all parties. The one who is most accurate wins. Fairly simple? I will even give a handicap to Thor, I will offer to predict within a 95% confidence interval and that for me to win, at least 90 of the 100 software products and 45 of the 50 systems have to lie within my predicted range that I calculate and release. Thor has to simply guess better than I do no matter how far out he is. I will put up $10,000 Au for my side. Lets see if Thor has something real to offer. Regards, ... Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ... Information Defense Pty Ltd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: SMS Banking, (continued)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Message not available
- Re: SMS Banking Benji (Feb 10)
- Re: SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking Rosa Maria Gonzalez Pereira (Feb 11)
- Re: SMS Banking Christian Sciberras (Feb 11)
- Re: SMS Banking Craig S. Wright (Feb 10)
- Re: SMS Banking Nick Chernyy (Feb 11)
- Message not available
- Re: SMS Banking Thor (Hammer of God) (Feb 09)
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Re: SMS Banking Valdis . Kletnieks (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking Thor (Hammer of God) (Feb 10)
- Re: SMS Banking McGhee, Eddie (Feb 11)
- Re: SMS Banking Craig S Wright (Feb 11)
- Re: SMS Banking Thor (Hammer of God) (Feb 11)
- Re: SMS Banking sine onus (Feb 11)