funsec mailing list archives
Re: DefCon 'Race to Zero'
From: B Potter <gdead () shmoo com>
Date: Fri, 25 Apr 2008 22:49:37 -0400
On Apr 25, 2008, at 8:05 PM, Paul Ferguson wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Colin Keigher <colin () afreak ca> wrote:And yet the general public still unknowingly gets malware by downloadingapplications that let them have free MP3s or whatever they want today. Defcon can allow proper exposure on this subject.Proper exposure? I'm sorry, but if people don't already realize that their behavior is already dangerous by reading the plethora of data, articles, research, blogs, etc. that is available, some controversial contest to write "stealthy" malware at DefCon ain't gonna do it either.
Honestly, I think it's sad that everyone is scared of talking about/ building/demo-ing 0day these days. 10 years ago you could go to any security/hacker con and several talks would be revealing some new vuln/ exploit. IMO, that's changed dramatically due to several reasons: - the increased value of 0day information has driven out the casual researcher and turned many of them into employees or consultants. Disclosing 0day at a conference rather than having a customer pay for it can have a big impact on someone's wallet. - The fear of being sued or arrested. Various laws and civil cases have had a chilling effect (see wendy seltzer's work on this) on the research community. Sklyerov et al spooked everyone and convinced many that it's just not worth the hassle anymore. - MS et al have hijacked the discussion of responsible disclosure. They have very carefully crafted the message in way that implies that if you don't agree with them and their definition of "responsible disclosure" then you must be against making things more secure and really be a malicious hacker at heart. I find the whole situation offensive. We are WAY too polite about discussing vulnerabilities in public right now. The ppl attacking us aren't ashamed to share information, and we shouldn't be either. Unfortunately, as a community, there's a self-imposed gag order in place that basically says "if you drop 0-day, you are evil" Just because you don't talk about something, doesn't mean it's not there... that's been a core tenant of security research for a long time. That's why we have concepts like full-disclosure and that's why many conferences were originally created. More power to the contest organizers for encouraging public discourse about the state of vulnerabilities. my 0.02. later bruce
$.02, - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFIEnGpq1pz9mNUZTMRAkgzAJwLylDgy287QAlcOJ123dph59Ck6wCgyBR5 Jsmt3eFXSsoXbPg6AM5j7WI= =SGd7 -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- DefCon 'Race to Zero' Paul Ferguson (Apr 25)
- Re: DefCon 'Race to Zero' Colin Keigher (Apr 25)
- Re: DefCon 'Race to Zero' Rich Kulawiec (Apr 25)
- Re: DefCon 'Race to Zero' Eduardo Tongson (Apr 25)
- <Possible follow-ups>
- Re: DefCon 'Race to Zero' Paul Ferguson (Apr 25)
- Re: DefCon 'Race to Zero' Colin Keigher (Apr 25)
- Re: DefCon 'Race to Zero' Paul Ferguson (Apr 25)
- Re: DefCon 'Race to Zero' B Potter (Apr 25)
- Re: DefCon 'Race to Zero' Rich Kulawiec (Apr 26)
- Re: DefCon 'Race to Zero' Joel R. Helgeson (Apr 28)
- Re: DefCon 'Race to Zero' Toralv_Dirro (Apr 28)
- Re: DefCon 'Race to Zero' Nick FitzGerald (Apr 28)
- Re: DefCon 'Race to Zero' Gadi Evron (Apr 28)
- Re: DefCon 'Race to Zero' Blue Boar (Apr 28)
- Re: DefCon 'Race to Zero' Nick FitzGerald (Apr 29)
- Re: DefCon 'Race to Zero' B Potter (Apr 25)
- Re: DefCon 'Race to Zero' Colin Keigher (Apr 25)
- Re: DefCon 'Race to Zero' 'Rich Kulawiec' (Apr 28)
- Re: DefCon 'Race to Zero' Gadi Evron (Apr 25)