Wednesday, August 10, 2005

More Mildly Condescending Comments

Pete has responded to my previous post. Pete says:

"I actually believe the REAL threat exists. While everyone else works on the manufactured stuff, I want to protect my assets against true threats.

Regardless of my level of confidence, however, I don't claim to have evidence and I refuse to manufacture it. And I find general 'cloak and dagger' statements that security professionals make to be lacking any impact whatsoever...

If you really do know and can't say, why would you hang the entire Internet out to dry by keeping in-the-wild exploits against undercover vulnerabilities a secret while you encourage the wheel spinning of research and disclosure?"

Many readers in the DC metropolitan area will recognize that I am in a delicate position here. All I can really do is point to some publicly available documents to try to change Pete's world view. He can then make up his own mind. These are all open source, Internet-available documents hosted on completely public .mil sites for the benefit of visitors.

That's all I can say on the matter. I'm not trying to be devious, but there are lines that cannot be crossed. I hope Pete appreciates the picture of Gamera I managed to find for him.

6 comments:

Anonymous said...

Some interesting things to consider (and I'm really enjoying the fact that I've never been TS/SCI cleared, and none of the following information is violating any of the non-disclosure agreements I've signed, and on a side note these things generally invoke a warm and fuzzy feeling in my stomach, do too my uncanny sense of morbidly tragic humor) :

1. NULLs only terminate string-based copy operations.
2. Heap overflows allow you to overwrite arbitrary memory addresses
3. There are huge chunks of writable memory in the BSS segments of the process structure of various (dare I say ALL moderately relevant) architectures that have a nice tendancy of not moving within the address space across versions and patch levels (M$ might have got better with this, it's not my forte)
4. It's relatively easy to footprint attack payloads
5. It's relatively easy to spring board search the area in memory likely to contain said footprint, in a small amount of code.
6. There are publicly available methods of creating covert execution channels, Here, and Here.
7. While we've yet to see a remote kernel-based attack released to the public, it's both naive and ignorant to assume they don't exist, in one shot multiplatform format (How many Operating Systems have TCP stacks based on 4.4BSD, someone remind me, heh ;PPPpppPppPppPPP)

What do you think our (and for the benefit of good argument, other) government has been researching for the past 8 years.

Granted, security research isn't something you can just throw money at to generate progress.... Wait, did I just say that? I must be high.

It's probably a safe bet that multiple governments have thrown Billions, yes with a B and most definitely plural, and needless to say if they spent even 1% of that budget allotment wisely, they are light years ahead of anything that's going to hit the shelves anytime soon.

This should add a bit of scope to Mr. Bejtlich's point here. And while it may have been done in an undesirable fashion, I myself have never been one to concern myself with the impact of the information I release to the public domain, as it's the essential philosophical stance of the entire security industry.

Anonymous said...

re: My World View. My world view is that there is a real threat out there. You are valiantly attempting to change that by making unsupported comments and pointing me to policy docs and press releases, but I refuse to believe it has ALL been manufactured.

I will continue to believe that the threat is real and that the white hat discovery/disclose cycle is distracting and we should be focused on the real problem.

Pete Lindstrom

Anonymous said...

Speaking of unsupported comments and claims, where do you suggest we go about discovering these "real" threats. AFAIK Blaster managed to drop 25% of our country's power grid last year.

You have to have a FIRM Grasp of the threat model, to identify any potential solution, you seem to have apparently identified neither. The WhiteHat(tm) disclosure model is in fact inherintly flawed, but not for the reason you are specifying.

S1nc3r3ly Urz,
Th3 M4d 4nt1-H4tt3R

tqbf said...

Can I just say, if governments have really thrown billions of dollars at the vulnerability problem (or opportunity, or whatever), it doesn't show from the type of problems we still find on a daily basis in ridiculously mission-critical code.

Keydet89 said...

Richard,

Pete's got a point. I went over and took a look at his blog...and his point about those who really DO know shouldn't be saying is well taken. And since I am aware of the sensitive position that you point out, I agree with his stance even more.

For someone to stand up and say, "Hey, I'm in the know, and I DO know...but I can't tell you anything about what I know" is complete BS. If you're covered by TS/SCI clearances or something even higher, and you're not supposed to talk about Fight Club, then you DON'T TALK ABOUT FIGHT CLUB! It's that simple...just telling someone that you know about it is talking about it, even if you don't give away the precious details.

It's just grandiose posturing in order to seem self-important.

Besides, you were in the military...you know as well as I do how some people go out of their way to classify their lunch schedule and their golf tee times.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Richard Bejtlich said...

There does not seem to be a reasonable way to discuss this issue without causing trouble for the parties involved. Consider the issue closed.