Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: concerning ~el8 / project mayhem
From: "Paul D. Robertson" <proberts () patriot net>
Date: Sun, 18 Aug 2002 03:13:19 -0400 (EDT)
On Sat, 17 Aug 2002, Marcus J. Ranum wrote:


in the past. If you're a true white hat, you're not replete with
hacking technique and you're not the kind of guy who can whip out
a tool to crack into any website any time, or whatever. UNfortunately,


I'm not sure I totally agree with this premise-  I think I couldsit 
and find and code exploits on my test network if I had the time.


That's not hacking technique, that's commonsense engineering.
I should have been more clear in my terminology: I meant that you
don't need to run around with a big encrypted CDROM full of your
toolz to be a security guru. You need to understand the forms and


Ah, ok-- "Don't need to" isn't the same as "not the kind of guy who can," 
which is where I keyed because I'm sick of people who think you have to 
have a criminal record to be any good at INFOSEC.


functions of categories of attacks so you can defend against them 
or design around them as _categories_ - having specific knowledge
(or toolz) to break specific versions of software on specific architectures -
that's just lame script-kid stuff. And there are a kit of "security
analysts" whose level of expertise is more in the script kiddy vein
than not. Perhaps we should call them "Scanner-kiddies" ? ;)


Well, it's not just the pseudo-security folks who have given us this 
problem- a lot of blame rides on the shoulders of the old-school 
consultant/accountant brigade[1]-

It's a heck of a lot more profitable to add 30 patches than it is to 
upgrade, block or remove one service.  Vulnerabilities equal billable 
hours, and (more importantly) thicker reports.  

Task-directed stuff "upgrade that ancient server" isn't as palatable, or as 
obviously continued business generating as reporting 72 different 
vulnerabilities and attributing 6 of them to your own employees who are "saving 
the world" by generating and distributing sample exploits to the bad guys.

I *know* I should upgrade my 8 year old Web server, I didn't know that 
something called candlefritz would cause it to spill out credit card 
data on a multicast network.  Besides which, upgrading that would break my 
phf script!

People *want* security companies to have some mistique, because they seem 
to feel that their money is better spent on that stuff they couldn't do 
themselves without assistance than on someone who's making sure that what 
they *need* to do (which is pretty obvious) is actually done.  Showing 
that there were 2,500 new vulnerabilities last year gets people budgets 
for security, showing 25 of them actually being used doesn't. 

We all know that passwords in the clear can be compromised.  We all know 
that everyone who uses a password can't make the correct risk assessment 
for their particular environment- that's why the leap is that you're not a 
"real" security person if you've made that assessment for yourself and 
come out on the "not worth protecting" side of the fence (How do you expect to 
get billable hours if you're not going to implement a VPN to check mail? 
 Not admitting the fact that everyone who has e-mail needs a 3DES over 
quadruple blowfish token-authenticated mail transport is seriously going 
to hurt the consulting business!)

To me, the bad thing isn't that someone will snarf your password and make 
you look bad, it's the "reputation" the person who snarfs it will gain 
from the people and press who don't understand risk assessment.  You're 
supposed to issue press releases about how badly everyone wants to hack 
your pop3 password- then follow up with white papers about how you've 
authenticated through a timing channel and honeypotted all the bad guys 
who didn't know enough to pace the packets darnit!


Paul
[1] My employer doesn't bill by the hour for assurance services, so I'm 
probably biased *and* underpaid.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]