Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Making waves on Twitter!
From: Brandon Perry <bperry.volatile () gmail com>
Date: Sun, 26 Jan 2014 16:39:53 -0600

So, here are the problems I have with both sides of this debate right now.
I wouldn't normally play along with politics like this, but it's a nice
Sunday afternoon, and I am feeling saucy.

I post this is an open forum because I believe this debate is useful in an
open forum and I don't believe that Dave should be going up against
polidiots in Congress alone.

Let's think about what is happening. Our claim is that healthcare.gov is is
insecure. We are the ones making that claim, and so the burden of proof is
on us. They have effectively proven that they had some sort of pen tests
done (who knows the scope, or how much risk was simply "accepted").
However, the only way to prove that the website is truly insecure is to
break the law. They know this (and let's not forget there is extreme bias
here). You need to look at this from the point of view of the people you
are trying to convince.

I hate this term "passive reconnoissance" because the people you are trying
to convince have *no* idea what this means. You are either using the
website in the way it was intended or you are not (their POV, not mine).
That paints a black and white picture that could fall under the CFAA. In
fact, passive recon sounds like something the NSA does to collect metadata.
Just saying.

Krush obviously has no idea how software development works. Yes, let's
build honeypots into our extremely time-crunched multi-million dollar web
application instead of actually building security measures in. That makes
perfect sense. However, he is playing the political game that Dave is not.
He knows exactly who is audience is, and plays straight into their hand. He
is telling them anything vaguely technical that backs up the story that
everything is secure. And you can't prove that what he is saying isn't true.

The fact that no "real" data is stored permanently (a point that both the
Congress people and Krush make repeatedly) is no point at all. TJX and
Target both had all their data stolen in transit (memory scanning malware).
Nieman Marcus and Michaels are now likely in that boat as well. This is the
perfect time to refute their point since it is fresh on everyone's mind.
Any data existing on those servers at any given point in time should be
considered at risk.

There needs to be a solid story on the 70,000 number. Is there source code
available for these scripts? Dave is going to get clobbered on this if he
can't show exactly what this means. Anyone that is technical probably
understands what is happening, but to anyone who doesn't know what an HTTP
request is, the explanations are very soft and confusing (most media
outlets?). This doesn't work in favor of the arguments because it makes it
seem like something is being hidden.

In the end, this is a political problem. Not a technical problem. You can
throw out hard numbers (hell, they might even be correct), and they can put
words in your mouth and twist what you say to discredit you and you lose.
Politicking is all about 10 second sound bites. That is their game right
now. Not to prove Dave wrong, but to discredit him.

Let's recap: we can't prove the website is insecure without breaking the
law, and our politichildren are not concerned about proving it is secure.
They probably don't even know what "secure" means when it comes to
technical systems like healthcare.gov. I believe Dave is approaching this
as a technical problem, when this is actually a political problem.

For the hell of it, I will drop a Reaganism[1]: Trust, but verify. We are
effectively being told "trust us, it is secure". We should be saying,
"Fine, we trust you. Let us verify". Our tax dollars built the system.
Maybe we should be allowed to view the source code.

I don't really expect any replies, but I love to eat crow. Feel free to
teach me something.

/me grabs some popcorn


[1]. I believe Reagan stole this from the Russians.


On Sun, Jan 26, 2014 at 3:03 PM, David Kennedy <davek () derbycon com> wrote:

As long as it involves the death star creation we may have a chance..
On Jan 26, 2014 9:57 PM, "Brandon Perry" <bperry.volatile () gmail com>
wrote:

I think the only way to solve this debate is a Celebrity Deathmatch-style
stand off.

I will get the petition ready on https://wwws.whitehouse.gov/petitions.
Stay tuned.


On Fri, Jan 24, 2014 at 9:05 AM, David Kennedy <davek () derbycon com>wrote:

Yoooo, whats up. This dude is crazy and probably Waylon Krush (can't
confirm that). He's been tweeting each news organization in an attempt to
throw a bunch of crap out there. Make your own determination, but I'm not
the only one that's found it. First it was I absolutely had access to 70k
and I'm the next Weev and should be arrested, now it's I've morphed myself
into a media whore. Regardless, when its fixed, I'll post as I've always
said. Even did a full writeup and updates explaining everything:


https://www.trustedsec.com/january-2014/explaining-security-issues-healthcare-gov/

Dude keeps changing and morphing the story into a bunch of different
things and changing the story. Happy to explain whenever and I'm not the
only one who came to the same damn conclusion, 7 others did as well that
were under NDA.

Make your own determination, I've always done things on ethics and being
up front, not hiding in the shadows and claiming insane things behind cloak
and daggers.

-Dave


truthinallthings () hushmail me via lists.grok.org.uk Jan 22 (2 days ago)
to root, full-disclosure This site is making waves on twitter:
http://70000in4mins.wordpress.com/ So what say you? Has our dear sweet
Lord of the SET hacked healthcare.gov? <http://healthcare.gov/?> Or did
he lie about what is really going on to get close to his hero's at Fox
News? Has the spotlight turned him into another Gregory Evans? Desperate
and willing to do anything for his next hit of the spotlight? Or did he
find a way to have Google let him do 70,000 searches in four mins like he
claims?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website




-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]