Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: [funsec] the heart of the problem [was: RE: mac trojan in-the-wild]
From: yiri <yirimyah () gmail com>
Date: Sat, 3 Nov 2007 02:20:43 +1100

I would have thought this was obvious, but your analogy is critically shit.
We don't "choose" to be exploitable. Or if we do, we don't have another
viable choice.

We're professional software developers. We have to make software, otherwise
we get hungry and they shut off the power.
That said, we don't have the option of making our software unexploitable,
because we have things called contracts and budgets and at the end of the
day, it's not efficent to fix holes before release, because nobody's going
to find all the flaws that you release the software with.

Your idea has a very limited potential userbase, because not having such
things as cookies and personal files adds a lot of work and makes the people
who use our software less efficent, which makes us poor. You might suggest
that we store such data off-system (say, on a centralised storage system,
online or on personal USB keys) but USB keys would make it much easier to
steal information and with each of those 'fixes' you just force the attacker
to move their attacks to programs that are stored on the writable disk.

That being said, I've used systems which restore all their settings at the
start of each day. They're most commonly used in public libraries,
highschools and universities, where customization is inappropriate to start


On 11/2/07, Drsolly <drsollyp () drsolly com> wrote:

Things are in fact FUBAR. We need new ideas and new solutions as
although we want to feel we make a difference by taking care of this or
that malware or this and that C&C we are powerless and have not made a
real difference in the past 6 years while things got worse.

We need new solutions and new ideas, and would be more than happy to
new people exploring operational security.

My new idea is a computer that cannot have new software installed on it by
the user, or by someone logging in as root, or in any other way, other
than by physical replacement of the OS medium.

My first proposal was Grannyx, which I proposed a couple of years ago. No
work has been done on this, because none of the people who think it's a
good idea, have the time to make it happen. The OS is on a CD Rom, and the
medium on which data is stored, is unable to run software.

The current state of Internet security is you get slapped -- BAM! -- and
you write an analysis about it. (when speaking at ISOI I actually
myself -- HARD -- when I said it on stage, not a good idea for future

A better analogy might be "you see someone else being tapped gently on the
wrist", which explains why no-one does much to stop it happening in

Well, we can't choose the risks. They choose us. Sometimes they are
sometimes they're not.

Well, we can choose the risks, actually. Having chosen the risk, you can't
choose the outcome. But we do choose the risks.

For example, I climbed a tree yesterday. The outcome was good (it might
not have been), but *I* chose the risk.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]