[ Posted to the full-disclosure mailing list ] [PHC] Your network will never be secure. [paul] This is a given. - ------------------------------------------------------------------------------- %Point 1% You agree this is a given. - ------------------------------------------------------------------------------- [PHC] People seem to think Attack Windows -- a term coined by the same class of people who brought you the Nop Sled (tm) -- exist between public vulnerability disclosure and public patch release. This is untrue; Attack Windows exist from public vulnerability disclosure right back into the long forgotten past. Example: if in 2010 a vulnerability is publicly disclosed in a widely used program that has been used for 20 years, then every box on the planet using that program has been at risk for 20 years, and not merely the week or so between public announcement and public fix. In retrospect, the security industry accomplished nothing in 20 years, except stuffing their pockets with cash and generating a false sense of security. [paul] Agreed, as to the first part, but your conclusion doesn't follow. They may have accomplished nothing WRT that one weakness. That says nothing about other weaknesses they may have exposed and which got fixed as a result. Do you *really* expect intelligent people to believe that the "Trustworthy Computing" initiative that Microsoft has undertaken would have *ever* happened without the steady stream of embarrassing disclosures, culminating in the awful buffer overflow in UPnP, that led up to that announcement? Frankly, that stretches credulity to the breaking point! - -------------------------------------------------------------------------------- Granted, the security community may have increased vendor awareness, but awareness alone does not lead to security. Even people who tug to security 24/7, like Theo de Raadt, have failed miserably. It's wrong to expect Microsoft to develop perfectly secure software, just like it's wrong to expect anyone else to be able to. Yet this doesn't stop the security industry banging on about it, contradicting their "there is no such thing as perfectly secure software." I'm sure you realize the argument is not about "what brings security," as absolutes are not possible, but "what brings a better level of security." Based on the article mentioned in Sermon #3 and the articles of Marcus Ranum (both written by prominent 'whitehats', hence no ulterior 'blackhat motives'), non-disclosure leads to a better level of security in the short-term. Therefore, it remains only to be contested whether full disclosure leads to better security in the long-term. Since non-disclosure has a foundation in the short-term as being a workable solution, whilst full disclosure in the short-term is detrimental (a "necessary evil"), we feel that the burden of proof is on the security industry to tell us why full disclosure in the long-term will be any different to full disclosure in the short-term. We don't believe it will be; we believe this "necessary evil" in the short-term will only intensify as time goes by. We base this belief on the pattern that has evolved over the last decade during the Reign of Full Disclosure. Logical projection into the future tells us it will continue. We may be wrong, and we invite correction. - -------------------------------------------------------------------------------- If the security industry wasn't constantly exposing Microsoft's warts, there would be no "Trustworthy Computing" initiative, there would be no security department at Microsoft, there would be no security bulletins, there would be no "hotfixes". You cannot honestly believe that, in the face of Microsoft's awful security record, that silence would be the correct behavior! [PHC] Insecurity will be perpetual. As democow said, blackhats will always be able to compromise you. Scriptkids will not be able to compromise you if you always manage to win the scriptkid-admin race that occurs when a new bug is disclosed on a security mailing list. However, not all admins will be so lucky. The security industry in this manner has increased not only the number of attackers exponentially, but the threat to the Internet at large. This is a cycle that can stop, but it won't happen while the security industry can make money on it. They need figures and statistics to market their flimsy products. They need visible threats to justify their existence. They need widespread defacements and system compromises. [paul] And the alternative is? - -------------------------------------------------------------------------------- NON-DISCLOSURE ============== short-term - ---------- attackers: blackhats/professionals long-term - --------- attackers: blackhats/professionals FULL DISCLOSURE =============== short-term - ---------- attackers: blackhats/professionals attackers: inordinate number of scriptkids long-term - --------- attackers: blackhats/professionals (based on %Point 1%) *** Is this stage (full disclosure, long-term) even reached? And if so, what *** did it achieve that non-disclosure didn't, other than injecting scriptkids *** into the digital ecosystem, causing a greater number of admins headaches, *** and allowing the security industry to stuff their pockets with cash? - -------------------------------------------------------------------------------- Assume for a moment that everything you've said so far is correct. Assume further that there is no security industry to "blow the whistle". Then this is the situation: all systems are insecure by default and will always be insecure, and the holes are only known by a select few, the so-called blackhats. What options do the network admins have then? - -------------------------------------------------------------------------------- Blackhats exist in both schemes. There's nothing we can do to stop them. It's just a question of which scheme brings subsidiary pains-in-the-ass and which doesn't. - -------------------------------------------------------------------------------- I submit they have none. Each time a system is compromised, the admin then either has to learn enough programming to be able to *correctly* understand the source of the problem (assuming he has access to the source) *or* demand that the vendor fix the problem that allowed the breakin. But the admin has no leverage with the vendor. He's already paid for the software. He has no contract with the vendor to protect him. Even if he can motivate the vendor to fix the problem, it's probably going to be in a new release, not in the existing one (because then the vendor would have to announce the problem to all his customers.) Furthermore, that admin has an ethical obligation to let other users know about the weakness. Otherwise he is culpable in their future breakins. [PHC] In the SecurityFocus article, _Full disclosure is a necessary evil_, Elias Levy agrees that full disclosure brings more short-term insecurity than non-disclosure does. So it's not only the 'blackhats' who see this. However, Levy qualifies this short-term insecurity as a "necessary evil" to effect long-term security. Just HOW long-term is a matter of conjecture, but based on the security industry's own tenet that "no software, system, or network can be totally secure," we don't ever see the final destination being reached by the security industry. Instead, we see them as the purveyors of lies and broken promises who will never be able to deliver what they're paid for. This holds true even for the 5% of 'programmer-phrack-magazine-esque' security professionals Who Have A Clue. The crazy thing is that it's their inability to deliver the goods that keeps them in business. While they rake in large amounts of cash and fail miserably at their self-appointed task, their failures succeed in convincing the gullible that they're still needed. [paul] You can't have your cake and eat it too. If, as you say, there will never be anything like total security in software, then you can't also accuse the security industry of having failed in their mission, simply because the forgone conclusion has been reached. Under the conditions which you describe, success can never be reached. - -------------------------------------------------------------------------------- Success can never be reached, hence the security industry is bound to be unsuccessful in the long-term. Therefore, the other alternative may be more palatable. - -------------------------------------------------------------------------------- However, if the security industry has helped close one single hole, then they have succeeded more than if they had done nothing, which is what you're advocating. - -------------------------------------------------------------------------------- They have closed one single hole, which did what? Publicly announced the hole to the scriptkid population, allowing them to attack the greater majority of admins who aren't as diligent as you are, all in the name of a future Utopia that we have no reason to believe will even occur. Meanwhile, the blackhats carry on unhindered, due to their alleged resourcefulness, creativity, and persistence. So you've won the scriptkid-admin race yet again, but other admins might not be so lucky -- the greater number of admins, in fact. - -------------------------------------------------------------------------------- Furthermore, you cannot accuse the security industry of failing because the software vendors have failed to program securely. The security industry's job is to reveal the problem and suggest solutions. They cannot force the vendor's to fix the problem. [PHC] There was a Vuln-Dev thread on Alan Turing's "Halting Problem" (we remember this thread because it was probably the only educated thread ever to appear on Vuln-Dev, not to mention a brilliant battle of wits between Lcamtuf-the-Brain and Mixter-the-Fucking-Narc) that brought the identification of security holes in software under the light of elementary discrete mathematics. This added to the tenet mentioned above. We mention this to reiterate what we said in Sermon #2 about all disciplines of study being applicable in some way, however slight, to the problem we seek to change. See, even a math nerd can help us. [paul] Try to understand the problem from the viewpoint of a network admin. Most could care less about the philsophical debates that surround these issues. Most don't want to learn to program, more than what is necessary to automate routine tasks. They don't want to master multiple disciplines *in addition to* their chosen profesion, and they don't want - -------------------------------------------------------------------------------- We do understand the problem from the viewpoint of a network admin. A lot of us are network admins ourselves. The point about using a multi-disciplinary argument was so that everyone who cares to hear our views can hear them from the discipline they're most accustomed to. Philosophers want philosophical arguments, theologists want theological arguments, scientists want empirical arguments, and so forth. We are lacking in many areas, which is why we invited the submissions of more educated individuals in those areas. - -------------------------------------------------------------------------------- to have to deal with breakins on top of all the other problems that come with trying to network heterogeneous systems and protocols so that users can seamlessly access what they want and need to access. What you are advocating is that they simply "deal with it", rather than offering any solutions to the problem. - -------------------------------------------------------------------------------- We are advocating the removal of their need to deal with scriptkids. This should be far less taxing on their time and energy. - -------------------------------------------------------------------------------- [PHC] In summary, the security industry is reaping large sums of money for doing absolutely nothing for Internet security. [paul] You can't make this leap of logic from the evidence that you've presented. You claim that it's impossible to completely secure software systems. Then you accuse the security industry of having failed because they haven't completely secured those systems. - -------------------------------------------------------------------------------- We claim that it's impossible to completely secure software, by the admission of security professionals themselves, THEREFORE we accuse them of being money-mongering criminals (?) who know deep down that they're chasing the wind, securing nothing other than their employment status. - -------------------------------------------------------------------------------- And if the security industry has caused the "Trustworth Computing" intiative to come to pass, then you certainly can't accuse them of "doing absolutely nothing". [snipped the irrelevant political diatribe] [PHC] We can churn out sermon after sermon, but it will do little good if nobody gives a damn. We're not fools to believe all this talk will do anything great. If you see what we are fighting for, then PLEASE contribute Stuff to the cause, where Stuff can be textfiles, graphics, old AntiSec posts, ideas, constructive criticism, whatever. [paul] What I see you preaching for is for my network to remain vulnerable and compromised forever. That's not a goal I would work for. So why should I assist you in yours? - -------------------------------------------------------------------------------- No, you agree by %Point 1% that it will always be insecure. So why not cut down on the number of people who can cause you grief? Full disclosure certainly doesn't do it, not with its "necessary evil." - -------------------------------------------------------------------------------- [PHC] And if you call anything that moves a "scriptkid" or a "lamer," for fuck's sake, do not bother replying to this. [paul] No, I call people who break in to other people's computers jerks. I really could care less what motivates them to do it. - -------------------------------------------------------------------------------- Paul, that comment was directed at other critics who don't even bother reading what we write, like the individual who first replied to Sermon #2. - -------------------------------------------------------------------------------- Paul Schmehl (pauls@utdallas.edu) TCS Department Coordinator University of Texas at Dallas http://www.utdallas.edu/~pauls/ PHC Sermon #4 http://phrack.efnet.ru | http://phrack.ru "Join us to teach and learn."