It started with this post by M.D.Mufambisi to the pen-list list:
Im designing an SMS baking application but i need to research on the security risks involved first... What are the risks around this application? How are such applications normally subverted? Are there any case studies someone can point me to?
After a few responses, Craig Wright chimed in:
The solution needs to be based on risk.
Where a system uses an SMS response with a separate system (such as a web page), the probability that the banking user is compromised and a fraud is committed, P(Compromise), can be calculated as:
P(Compromise) = P(C.SMS) x P(C.PIN)
Where: P(C.SMS) is the probability of compromising the SMS function and P(C.PIN) is the compromise of the user authentication method
Craig followed up with a blog post:
Many people feel that it is not feasible to model risk quantitatively. This of course is blatantly false. In the past, many of the calculations have been computationally infeasible at worst and economically costly at best. This has changed. The large volumes of computational power that is available coupled with novel stochastic methods has resulted in an efficiently viable means of calculating risk quantitatively with a high degree of accuracy. This can be measured as a function of time (as survival time), finance (or monetary value) or any number of other processes...
Tim Mullen, a guy who I first met in 2002 teaching at Black Hat, responded on full-disclosure:
I'm looping in the FD list because often my replies don't make it to Pen-Test, and this has hit a nerve with me.
I've looked over your post...
Once I was able to get past the overwhelming egoism and self-substantiating claims of your contributions to the industry, I arrived at the conclusion that the only portion of the aforementioned page that is not complete drivel and even laughable to anyone who has actually worked towards ascertaining actual risk in production environments, is where you describe your own words as "ravings..."
I'm fine with you sitting back and gloating about the Security Hero award you got from Northcutt, but when I see that you are actually contributing to ANY level of Critical Infrastructure Protection, it makes me fear for anyone who might be counting on your presumed skillset to actually make intelligent decisions about risk where human safety is at stake.
Your "risk formula" is ridiculous. What number would your formula have yielded 2 weeks before SQL Slammer was released? Where is the variable for unpatched systems? What number do we plug in for malicious employee factorization? More importantly, where is the calculation for self absorbed snake-oil selling academics with no real experience using their calculator to come up with magic numbers that represent the risk of a nuclear power plant being hacked?
Since you are (self-described) as "currently the only GIAC GSE (Compliance) holder globally and the most highly accredited Global Information Security Professional" and thus (presumably, if only in your mind) the greatest security mind in the world, how about accepting a challenge to an open debate on the subject at Defcon? People like you are dangerous and need to be exposed before someone in a position of power actually believes that you know what you are talking about. Bring your abacus.
Craig then responded with some sort of monetary challenge, and Tim and Craig are now debating how to arrange that.
If you want history on why I consider model = clown, please check out the posts on my clown tag.
When I read
"In the past, many of the calculations have been computationally infeasible at worst and economically costly at best. This has changed. The large volumes of computational power that is available coupled with novel stochastic methods has resulted in an efficiently viable means of calculating risk quantitatively with a high degree of accuracy."
it is clear to me Craig is pretty well disconnected from reality. Did we not just suffer a global recession exacerbated by clowns who thought they could model risk "with a high degree of accuracy"?