Re: DefCon 'Race to Zero'

[B Potter <gdead () shmoo com>]

On Apr 25, 2008, at 8:05 PM, Paul Ferguson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> - -- Colin Keigher <colin () afreak ca> wrote:
>
> > And yet the general public still unknowingly gets malware by  
> > downloading
> applications that let them have free MP3s or whatever they want today.
> Defcon can allow proper exposure on this subject.
> >
>
> Proper exposure?
>
> I'm sorry, but if people don't already realize that their behavior
> is already dangerous by reading the plethora of data, articles,
> research, blogs, etc. that is available, some controversial contest
> to write "stealthy" malware at DefCon ain't gonna do it either.

Honestly, I think it's sad that everyone is scared of talking about/ 
building/demo-ing 0day these days.  10 years ago you could go to any  
security/hacker con and several talks would be revealing some new vuln/ 
exploit.  IMO, that's changed dramatically  due to several reasons:

- the increased value of 0day information has driven out the casual  
researcher and turned many of them into employees or consultants.   
Disclosing 0day at a conference rather than having a customer pay for  
it can have a big impact on someone's wallet.

- The fear of being sued or arrested.  Various laws and civil cases  
have had a chilling effect (see wendy seltzer's work on this) on the  
research community.  Sklyerov et al spooked everyone and convinced  
many that it's just not worth the hassle anymore.

- MS et al have hijacked the discussion of responsible disclosure.   
They have very carefully crafted the message in way that implies that  
if you don't agree with them and their definition of "responsible  
disclosure" then you must be against making things more secure and  
really be a malicious hacker at heart.

I find the whole situation offensive.  We are WAY too polite about  
discussing vulnerabilities in public right now.  The ppl attacking us  
aren't ashamed to share information, and we shouldn't be either.   
Unfortunately, as a community, there's a self-imposed gag order in  
place that basically says "if you drop 0-day, you are evil"

Just because you don't talk about something, doesn't mean it's not  
there... that's been a core tenant of security research for a long  
time.  That's why we have concepts like full-disclosure and that's why  
many conferences were originally created.  More power to the contest  
organizers for encouraging public discourse about the state of  
vulnerabilities.

my 0.02.

later

bruce

> $.02,
>
> - - ferg
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.6.3 (Build 3017)
>
> wj8DBQFIEnGpq1pz9mNUZTMRAkgzAJwLylDgy287QAlcOJ123dph59Ck6wCgyBR5
> Jsmt3eFXSsoXbPg6AM5j7WI=
> =SGd7
> -----END PGP SIGNATURE-----
>
>
> --
> "Fergie", a.k.a. Paul Ferguson
> Engineering Architecture for the Internet
> fergdawg(at)netzero.net
> ferg's tech blog: http://fergdawg.blogspot.com/
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.